Executive Summary

Informations
Name CVE-2025-32949 First vendor Publication 2025-04-15
Vendor Cve Last vendor Modification 2025-04-15

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb.

If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. The yauzl library does not contain any mechanism to detect or prevent extraction of a Zip Bomb https://en.wikipedia.org/wiki/Zip_bomb . Therefore, when using the User Import functionality with a Zip Bomb, PeerTube will try extracting the archive which will cause a disk space resource exhaustion.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32949

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)

Sources (Detail)

https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1
https://research.jfrog.com/vulnerabilities/peertube-archive-resource-exhaustion/
Source Url

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2025-05-27 02:57:14
  • First insertion