CVE-2025-32949

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-32949

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32949.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-32949

Published

2025-04-15T15:16:09Z

Modified

2025-05-28T10:29:26.230701Z

Summary

[none]

Details

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb.

If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. The yauzl library does not contain any mechanism to detect or prevent extraction of a Zip Bomb https://en.wikipedia.org/wiki/Zip_bomb . Therefore, when using the User Import functionality with a Zip Bomb, PeerTube will try extracting the archive which will cause a disk space resource exhaustion.

References

Affected packages

Git / github.com/chocobozzz/peertube

Affected ranges

Type: GIT
Repo: https://github.com/chocobozzz/peertube
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b9c3a4837e6a5e5d790e55759e3cf2871df4f03c

Affected versions

test-tag-1.*

test-tag-1.0.0

v0.*

v0.0.11-alpha

v0.0.12-alpha

v0.0.13-alpha

v0.0.14-alpha

v0.0.16-alpha

v0.0.17-alpha

v0.0.18-alpha

v0.0.19-alpha

v0.0.20-alpha

v0.0.21-alpha

v0.0.22-alpha

v0.0.23-alpha

v0.0.27-alpha

v0.0.28-alpha

v0.0.29-alpha

v0.0.3-alpha

v0.0.4-alpha

v0.0.5-alpha

v0.0.6-alpha

v0.0.8-alpha

v0.0.9-alpha

v1.*

v1.0.0

v1.0.0-alpha.1

v1.0.0-alpha.10

v1.0.0-alpha.2

v1.0.0-alpha.3

v1.0.0-alpha.4

v1.0.0-alpha.5

v1.0.0-alpha.6

v1.0.0-alpha.7

v1.0.0-alpha.8

v1.0.0-alpha.9

v1.0.0-beta.1

v1.0.0-beta.10

v1.0.0-beta.10.pre.1

v1.0.0-beta.10.pre.2

v1.0.0-beta.10.pre.3

v1.0.0-beta.11

v1.0.0-beta.12

v1.0.0-beta.13

v1.0.0-beta.14

v1.0.0-beta.15

v1.0.0-beta.16

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.5

v1.0.0-beta.6

v1.0.0-beta.7

v1.0.0-beta.8

v1.0.0-beta.9

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.1

v1.1.0

v1.1.0-alpha.1

v1.1.0-rc.1

v1.2.0

v1.2.0-rc.1

v1.2.1

v1.3.0

v1.3.0-rc.1

v1.3.0-rc.2

v1.3.1

v1.4.0

v1.4.0-rc.1

v1.4.1

v2.*

v2.0.0

v2.0.0-rc.1

v2.1.0

v2.1.0-rc.1

v2.1.1

v2.2.0

v2.2.0-rc.1

v2.3.0

v2.3.0-rc.1

v2.4.0

v2.4.0-rc.1

v3.*

v3.0.0

v3.0.0-rc.1

v3.0.1

v3.1.0

v3.1.0-rc.1

v3.2.0

v3.2.0-rc.1

v3.2.1

v3.3.0

v3.3.0-rc.1

v3.4.0

v3.4.0-rc.1

v3.4.1

v4.*

v4.0.0

v4.0.0-rc.1

v4.1.0

v4.1.0-rc.1

v4.1.1

v4.2.0

v4.2.0-rc.1

v4.2.1

v4.2.2

v4.3.0

v4.3.0-rc.1

v4.3.1

v5.*

v5.0.0

v5.0.0-rc.1

v5.0.1

v5.1.0

v5.1.0-rc.1

v5.2.0

v5.2.0-rc.1

v5.2.1

v6.*

v6.0.0

v6.0.0-rc.1

v6.0.0-rc.2

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.1.0

v6.1.0-rc.1

v6.2.0

v6.2.0-rc.1

v6.2.1

v6.3.0

v6.3.0-rc.1

v6.3.1

v6.3.2

v6.3.3

v7.*

v7.0.0

v7.0.0-rc.1

v7.0.1

v7.1.0

v7.1.0-rc.1