CVE-2025-32949 in PeerTube
Summary
by MITRE • 04/15/2025
This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb.
If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. The yauzl library does not contain any mechanism to detect or prevent extraction of a Zip Bomb https://en.wikipedia.org/wiki/Zip_bomb . Therefore, when using the User Import functionality with a Zip Bomb, PeerTube will try extracting the archive which will cause a disk space resource exhaustion.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/22/2025
This vulnerability represents a critical resource exhaustion flaw in PeerTube's user import functionality that can be exploited by any authenticated user to consume excessive disk space. The vulnerability stems from the improper handling of archive extraction processes within the application's import system, where the yauzl library lacks built-in mechanisms to detect or prevent malicious archive extraction attempts. When a user uploads a malicious zip file through the import functionality, the system attempts to decompress all contained files without any size or count limitations, leading to rapid disk space exhaustion that can potentially render the entire system unusable.
The technical implementation of this vulnerability occurs within the archive processing pipeline where PeerTube's user import feature relies on the yauzl library for archive reading operations. This library operates without any inherent protection against zip bomb attacks, which are malicious compressed archives designed to consume excessive system resources during extraction by containing a large number of compressed files or extremely large files that expand to enormous sizes when decompressed. The default configuration of PeerTube enables user import functionality, making this attack vector accessible to any registered user without requiring elevated privileges or special permissions.
From an operational impact perspective, this vulnerability creates a severe denial-of-service condition that can completely compromise system availability and storage integrity. The exploitation process involves uploading a malicious zip file that appears legitimate but contains compressed data designed to expand to massive sizes, causing the system to consume all available disk space and potentially leading to system crashes or data loss. This type of attack directly violates the principle of resource isolation and can affect not only the targeted service but also other system components that depend on available storage resources, creating cascading failures within the infrastructure.
The vulnerability aligns with CWE-400, which addresses unrestricted resource consumption, and represents a classic example of insufficient input validation and resource management. From an attack perspective, this flaw maps to multiple ATT&CK techniques including T1499.001 for network denial of service and T1078.004 for valid accounts. The attack requires minimal sophistication since any authenticated user can leverage this vulnerability, making it particularly dangerous in environments where user registration is open or where user accounts are easily obtainable. Organizations should implement immediate mitigations including disabling user import functionality, implementing archive size and file count limits, and configuring monitoring systems to detect unusual disk space consumption patterns. Additionally, the system should be updated to use a more secure archive handling library that includes built-in zip bomb detection mechanisms or implement custom validation checks that prevent extraction of archives exceeding predefined thresholds for file count, total size, or compression ratios.