CVE-2025-32944 MEDIUM

CVE-2025-32944: PeerTube User Import Authenticated Persistent Denial of Service

Weakness CWE-248
Published April 15, 2025
Last update April 15, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.  If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup.

Key dates

02Disclosure timeline

April 15, 2025 CVE published
April 15, 2025 Record updated