Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-32949

Summary
Assigner-JFROG
Assigner Org ID-48a46f29-ae42-4e1d-90dd-c1676c1e5e6d
Published At-15 Apr, 2025 | 14:57
Updated At-15 Apr, 2025 | 15:18
Rejected At-
Credits

PeerTube User Import Authenticated Resource Exhaustion

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. The yauzl library does not contain any mechanism to detect or prevent extraction of a Zip Bomb https://en.wikipedia.org/wiki/Zip_bomb . Therefore, when using the User Import functionality with a Zip Bomb, PeerTube will try extracting the archive which will cause a disk space resource exhaustion.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:JFROG
Assigner Org ID:48a46f29-ae42-4e1d-90dd-c1676c1e5e6d
Published At:15 Apr, 2025 | 14:57
Updated At:15 Apr, 2025 | 15:18
Rejected At:
▼CVE Numbering Authority (CNA)
PeerTube User Import Authenticated Resource Exhaustion

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. The yauzl library does not contain any mechanism to detect or prevent extraction of a Zip Bomb https://en.wikipedia.org/wiki/Zip_bomb . Therefore, when using the User Import functionality with a Zip Bomb, PeerTube will try extracting the archive which will cause a disk space resource exhaustion.

Affected Products
Collection URL
https://github.com
Package Name
Chocobozzz/PeerTube
Default Status
unaffected
Versions
Affected
  • From 0 before 7.1.1 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-409CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Type: CWE
CWE ID: CWE-409
Description: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1
patch
https://research.jfrog.com/vulnerabilities/peertube-archive-resource-exhaustion/
third-party-advisory
Hyperlink: https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1
Resource:
patch
Hyperlink: https://research.jfrog.com/vulnerabilities/peertube-archive-resource-exhaustion/
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:reefs@jfrog.com
Published At:15 Apr, 2025 | 15:16
Updated At:15 Apr, 2025 | 18:39

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. The yauzl library does not contain any mechanism to detect or prevent extraction of a Zip Bomb https://en.wikipedia.org/wiki/Zip_bomb . Therefore, when using the User Import functionality with a Zip Bomb, PeerTube will try extracting the archive which will cause a disk space resource exhaustion.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-409Primaryreefs@jfrog.com
CWE ID: CWE-409
Type: Primary
Source: reefs@jfrog.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1reefs@jfrog.com
N/A
https://research.jfrog.com/vulnerabilities/peertube-archive-resource-exhaustion/reefs@jfrog.com
N/A
Hyperlink: https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1
Source: reefs@jfrog.com
Resource: N/A
Hyperlink: https://research.jfrog.com/vulnerabilities/peertube-archive-resource-exhaustion/
Source: reefs@jfrog.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2023-0821
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 46.66%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 21:23
Updated-18 Mar, 2025 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nomad Client Vulnerable to Decompression Bombs in Artifact Block

HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.

Action-Not Available
Vendor-HashiCorp, Inc.
Product-nomadNomad EnterpriseNomad
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CVE-2024-1947
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.57%
||
7 Day CHG~0.00%
Published-23 May, 2024 | 11:02
Updated-13 Dec, 2024 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Handling of Highly Compressed Data (Data Amplification) in GitLab

A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CVE-2024-55909
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 19.54%
||
7 Day CHG~0.00%
Published-02 May, 2025 | 00:35
Updated-28 Aug, 2025 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Concert Software denial of service

IBM Concert Software 1.0.0 through 1.0.5 could allow an authenticated user to cause a denial of service due to the expansion of archive files without controlling resource consumption.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-concertlinux_kernelConcert Software
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CVE-2024-54682
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 29.35%
||
7 Day CHG~0.00%
Published-16 Dec, 2024 | 08:03
Updated-16 Dec, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zipbomb DoS via Missing Slack Import Validation

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

Action-Not Available
Vendor-Mattermost, Inc.
Product-Mattermost
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
Details not found