CVE-2025-32949 – This vulnerability allows any authenticated use... (How to Fix)

Q: What is the severity of CVE-2025-32949?

CVE-2025-32949 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows any authenticated user to upload a Zip Bomb archive that causes disk space exhaustion when PeerTube attempts to extract it. The issue affects PeerTube instances with user import functionality enabled, which is the default configuration. Attackers can fill the server's disk space, potentially causing service disruption.

📋 TL;DR

This vulnerability allows any authenticated user to upload a Zip Bomb archive that causes disk space exhaustion when PeerTube attempts to extract it. The issue affects PeerTube instances with user import functionality enabled, which is the default configuration. Attackers can fill the server's disk space, potentially causing service disruption.

💻 Affected Systems

Products:

PeerTube

Versions: Versions before v7.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires user import functionality enabled, which is default. The yauzl library lacks Zip Bomb detection.

📦 What is this software?

Peertube by Framasoft

View all CVEs affecting Peertube →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disk space exhaustion leading to service outage, data corruption, and inability to process legitimate user uploads.

🟠

Likely Case

Partial disk space consumption causing performance degradation and potential service disruption until manual cleanup.

🟢

If Mitigated

Minimal impact if user import is disabled or disk quotas are enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access. Zip Bomb creation tools are widely available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v7.1.1

Vendor Advisory: https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1

Restart Required: Yes

Instructions:

1. Backup your PeerTube instance. 2. Update to PeerTube v7.1.1 or later. 3. Restart the PeerTube service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable User Import

all

Disable the user import functionality to prevent archive uploads.

Edit PeerTube configuration to set user import to disabled

Implement Disk Quotas

linux

Set disk usage limits for the PeerTube process or user.

# Linux example using ulimit
ulimit -f 1000000
# Or implement filesystem quotas

🧯 If You Can't Patch

Disable user import functionality immediately
Implement strict disk monitoring and alerting for unusual consumption patterns

🔍 How to Verify

Check if Vulnerable:

Check if PeerTube version is below v7.1.1 and user import is enabled.

Check Version:

Check PeerTube admin panel or run: npm list --depth=0 | grep peertube

Verify Fix Applied:

Confirm PeerTube version is v7.1.1 or later and test user import with safe archives.

📡 Detection & Monitoring

Log Indicators:

Unusually large archive extraction attempts
Rapid disk space consumption alerts
User import process failures

Network Indicators:

Large archive uploads via user import endpoint

SIEM Query:

source="peertube" AND ("user.import" OR "archive.extract") AND size>100MB

📊 Metadata

CVE ID: CVE-2025-32949

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-409

EPSS Score: 0.12% exploit probability (30.6th percentile)

Published: April 15, 2025

Last Updated: October 21, 2025

🔗 References

https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1 Release Notes
https://research.jfrog.com/vulnerabilities/peertube-archive-resource-exhaustion/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32949, you might also want to check these: