CVE-2025-32948

HIGH

Framasoft Peertube < 7.1.1 - Type Confusion

Title source: rule

Description

The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send requests to arbitrary URLs (Blind SSRF). Attackers can send ActivityPub activities to PeerTube's "inbox" endpoint. By abusing the "Create Activity" functionality, it is possible to create crafted playlists which will cause either denial of service or an attacker-controlled blind SSRF.

References (2)

[Release Notes] https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1

[Exploit, Third Party Advisory] https://research.jfrog.com/vulnerabilities/peertube-activitypub-playlist-creation-blind-ssrf-dos/

Scores

CVSS v3 7.5

EPSS 0.0013

EPSS Percentile 31.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-843

Status published

Products (1)

framasoft/peertube < 7.1.1

Published Apr 15, 2025

Tracked Since Feb 18, 2026