CVE-2025-32948: PeerTube ActivityPub Playlist Creation Blind SSRF and DoS

7.5 CVSS

Description

The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send requests to arbitrary URLs (Blind SSRF). Attackers can send ActivityPub activities to PeerTube's "inbox" endpoint. By abusing the "Create Activity" functionality, it is possible to create crafted playlists which will cause either denial of service or an attacker-controlled blind SSRF.

Classification

CVE ID: CVE-2025-32948

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Affected Products

Vendor:

Product:

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32948
https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1
https://research.jfrog.com/vulnerabilities/peertube-activitypub-playlist-creation-blind-ssrf-dos/

Timeline

2025-04-15 15:40:12 UTC
CVE

PeerTube ActivityPub Playlist Creation Blind SSRF and DoS