CVE-2025-32947 – This vulnerability allows attackers to cause a ... (How to Fix)

Q: What is the severity of CVE-2025-32947?

CVE-2025-32947 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to cause a denial of service (DoS) on PeerTube servers by sending specially crafted ActivityPub activities to the inbox endpoint, triggering an infinite loop that stops the server from responding to legitimate requests. Any PeerTube instance accessible to attackers is affected, particularly those exposed to the internet.

📋 TL;DR

This vulnerability allows attackers to cause a denial of service (DoS) on PeerTube servers by sending specially crafted ActivityPub activities to the inbox endpoint, triggering an infinite loop that stops the server from responding to legitimate requests. Any PeerTube instance accessible to attackers is affected, particularly those exposed to the internet.

💻 Affected Systems

Products:

PeerTube

Versions: Versions before v7.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All standard PeerTube installations with ActivityPub enabled are vulnerable. The vulnerability is in the core ActivityPub implementation.

📦 What is this software?

Peertube by Framasoft

View all CVEs affecting Peertube →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for all users, requiring manual server restart and potentially causing extended downtime.

🟠

Likely Case

Temporary service disruption affecting all users until the infinite loop is terminated or the server is restarted.

🟢

If Mitigated

Limited impact with proper rate limiting and monitoring that detects and blocks malicious ActivityPub traffic quickly.

🌐 Internet-Facing: HIGH - Any internet-accessible PeerTube instance can be targeted by remote attackers without authentication.

🏢 Internal Only: LOW - Only affects systems where internal users can send ActivityPub activities to the inbox endpoint.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The JFrog research article includes technical details that could be used to create exploit code. The vulnerability requires sending crafted ActivityPub messages to the inbox endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v7.1.1

Vendor Advisory: https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1

Restart Required: Yes

Instructions:

1. Backup your PeerTube instance and database. 2. Update to PeerTube v7.1.1 using your package manager or manual installation. 3. Restart the PeerTube service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Rate Limit ActivityPub Inbox

linux

Implement rate limiting on the ActivityPub inbox endpoint to reduce the impact of DoS attempts.

Configure your reverse proxy (nginx/apache) to limit requests to /api/v1/activitypub/inbox

Temporary Inbox Disable

all

Temporarily disable ActivityPub inbox functionality if not critically needed.

Modify PeerTube configuration to disable ActivityPub inbox processing

🧯 If You Can't Patch

Implement network-level filtering to block suspicious ActivityPub traffic patterns
Deploy WAF rules to detect and block crafted ActivityPub messages targeting the inbox endpoint

🔍 How to Verify

Check if Vulnerable:

Check if PeerTube version is below v7.1.1. Monitor server logs for repeated ActivityPub inbox requests causing high CPU usage.

Check Version:

npm list -g peertube or check package.json version

Verify Fix Applied:

Confirm PeerTube version is v7.1.1 or higher. Test that ActivityPub functionality works normally without service disruption.

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes, repeated ActivityPub inbox processing errors, server becoming unresponsive

Network Indicators:

Unusual volume of ActivityPub messages to inbox endpoint, specific crafted ActivityPub payloads

SIEM Query:

source="peertube" AND ("inbox" OR "ActivityPub") AND (error OR timeout OR "high cpu")

📊 Metadata

CVE ID: CVE-2025-32947

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

EPSS Score: 0.05% exploit probability (16th percentile)

Published: April 15, 2025

Last Updated: October 21, 2025

🔗 References

https://github.com/Chocobozzz/PeerTube/commit/76226d85685220db1495025300eca784d0336f7d Patch
https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1 Release Notes
https://research.jfrog.com/vulnerabilities/peertube-activitypub-crawl-dos/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32947, you might also want to check these: