CVE-2025-32948

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-32948

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32948.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-32948

Published

2025-04-15T15:16:09.470Z

Modified

2026-04-10T05:25:17.953702Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send requests to arbitrary URLs (Blind SSRF). Attackers can send ActivityPub activities to PeerTube's "inbox" endpoint. By abusing the "Create Activity" functionality, it is possible to create crafted playlists which will cause either denial of service or an attacker-controlled blind SSRF.

References

Affected packages

Git / github.com/chocobozzz/peertube

Affected ranges

Type

GIT

Repo

https://github.com/chocobozzz/peertube

Events

Introduced

Fixed

b9c3a4837e6a5e5d790e55759e3cf2871df4f03c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.1.1"
        }
    ]
}

Affected versions

v0.*

v0.0.11-alpha

v0.0.12-alpha

v0.0.13-alpha

v0.0.14-alpha

v0.0.16-alpha

v0.0.17-alpha

v0.0.18-alpha

v0.0.19-alpha

v0.0.20-alpha

v0.0.21-alpha

v0.0.22-alpha

v0.0.23-alpha

v0.0.27-alpha

v0.0.28-alpha

v0.0.29-alpha

v0.0.3-alpha

v0.0.4-alpha

v0.0.5-alpha

v0.0.6-alpha

v0.0.8-alpha

v0.0.9-alpha

v1.*

v1.0.0-alpha.1

v1.0.0-alpha.10

v1.0.0-alpha.2

v1.0.0-alpha.3

v1.0.0-alpha.4

v1.0.0-alpha.5

v1.0.0-alpha.6

v1.0.0-alpha.7

v1.0.0-alpha.8

v1.0.0-alpha.9

v1.0.0-beta.1

v1.0.0-beta.10.pre.1

v1.0.0-beta.10.pre.2

v1.0.0-beta.10.pre.3

v1.0.0-beta.11

v1.0.0-beta.12

v1.0.0-beta.13

v1.0.0-beta.14

v1.0.0-beta.15

v1.0.0-beta.16

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.5

v1.0.0-beta.6

v1.0.0-beta.7

v1.0.0-beta.8

v1.0.0-beta.9

v1.0.0-rc.1

v1.0.0-rc.2

v1.1.0

v1.1.0-alpha.1

v1.1.0-rc.1

v1.3.0-rc.1

v1.4.0-rc.1

v2.*

v2.0.0

v2.0.0-rc.1

v2.1.0-rc.1

v2.2.0-rc.1

v2.3.0-rc.1

v2.4.0

v2.4.0-rc.1

v3.*

v3.0.0

v3.0.0-rc.1

v3.1.0-rc.1

v3.3.0

v3.3.0-rc.1

v3.4.0

v3.4.0-rc.1

v4.*

v4.0.0-rc.1

v4.1.0

v4.1.0-rc.1

v4.2.0-rc.1

v4.3.0

v4.3.0-rc.1

v5.*

v5.0.0

v5.0.0-rc.1

v5.1.0-rc.1

v5.2.0

v5.2.0-rc.1

v6.*

v6.0.0

v6.0.0-rc.1

v6.0.0-rc.2

v6.0.1

v6.0.2

v6.1.0

v6.1.0-rc.1

v6.2.0

v6.2.0-rc.1

v6.2.1

v6.3.0

v6.3.0-rc.1

v6.3.1

v7.*

v7.0.0

v7.0.0-rc.1

v7.0.1

v7.1.0

v7.1.0-rc.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32948.json"