PeerTube Path Traversal Vulnerability in HLS Endpoint Allows Arbitrary Playlist Leakage
Vulnerability
A path traversal vulnerability has been identified in PeerTube versions through 7.1.0, allowing authenticated users to leak contents of private HLS playlists (.m3u8 files) from the server. The issue arises from improper sanitization of the playlistName parameter in the HLS endpoint, enabling traversal out of the video's directory to access arbitrary .m3u8 files.
Impact
Exploitation of this vulnerability leads to unauthorized access and leakage of private HLS playlist files, potentially exposing sensitive video streaming data.
Reproduction
To reproduce this vulnerability, log into a PeerTube instance and upload a private video. Use the inspection tool to obtain the video's playlist UUID and .m3u8 filename. Then, upload a public video and copy its UUID. Finally, send a request to the HLS endpoint, using the public video's UUID to traverse to the private video's directory and access the .m3u8 file.
Remediation
Users can update to PeerTube version 7.1.1, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.