CVE-2025-32945 – This vulnerability allows authenticated PeerTub... (How to Fix)

Q: What is the severity of CVE-2025-32945?

CVE-2025-32945 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated PeerTube users to create playlists in other users' channels without authorization. It affects PeerTube instances where user accounts exist and the REST API is accessible. The issue stems from improper ownership validation when creating playlists through the API.

📋 TL;DR

This vulnerability allows authenticated PeerTube users to create playlists in other users' channels without authorization. It affects PeerTube instances where user accounts exist and the REST API is accessible. The issue stems from improper ownership validation when creating playlists through the API.

💻 Affected Systems

Products:

PeerTube

Versions: Versions before v7.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all PeerTube instances with user accounts and API access enabled.

📦 What is this software?

Peertube by Framasoft

View all CVEs affecting Peertube →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious users could spam other users' channels with unwanted playlists, potentially disrupting content organization and causing confusion among viewers.

🟠

Likely Case

Users could create playlists in other channels, causing minor disruption and violating channel owner control over their content organization.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized playlist creation that can be detected and removed.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access to the PeerTube REST API.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v7.1.1

Vendor Advisory: https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1

Restart Required: Yes

Instructions:

1. Backup your PeerTube instance. 2. Update to PeerTube v7.1.1 or later. 3. Restart the PeerTube service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict API Access

all

Limit REST API access to trusted networks or implement additional authentication layers

Configure firewall rules to restrict API endpoint access
Implement API rate limiting

🧯 If You Can't Patch

Monitor API logs for unauthorized playlist creation attempts
Implement additional authorization checks at the application layer

🔍 How to Verify

Check if Vulnerable:

Check if PeerTube version is earlier than v7.1.1

Check Version:

Check PeerTube admin panel or run: npm list --depth=0 | grep peertube

Verify Fix Applied:

Verify PeerTube version is v7.1.1 or later and test playlist creation with proper authorization checks

📡 Detection & Monitoring

Log Indicators:

API requests creating playlists with channel IDs different from requester's channels
Unusual playlist creation patterns

Network Indicators:

HTTP POST requests to /api/v1/video-playlists endpoint with mismatched user/channel IDs

SIEM Query:

source="peertube" AND (uri_path="/api/v1/video-playlists" AND http_method="POST") | stats count by user_id, channel_id

📊 Metadata

CVE ID: CVE-2025-32945

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-282

EPSS Score: 0.06% exploit probability (19.7th percentile)

Published: April 15, 2025

Last Updated: October 21, 2025

🔗 References

https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1 Release Notes
https://research.jfrog.com/vulnerabilities/peertube-arbitrary-playlist-creation-rest/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32945, you might also want to check these: