PeerTube Uncaught Exception Leading to Persistent Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in PeerTube versions through 7.1.0. This issue allows any authenticated user to cause the PeerTube server to crash and continue failing on startup, creating a persistent disruption. The vulnerability arises during the user import process, which is enabled by default. When an archive containing illegal filenames is uploaded, the yauzl library raises an uncaught exception, leading to a server crash. This cycle repeats indefinitely until the problematic file is manually removed from the system.

Impact

Exploitation of this vulnerability causes the PeerTube server to crash and enter an infinite loop of failures on startup, leading to a persistent denial-of-service condition.

Reproduction

To reproduce this vulnerability, log into a PeerTube instance with an authenticated user account. Upload a ZIP file containing at least one entry with an illegal filename, such as one that includes '..' to trigger a path error. Once the file is uploaded, the PeerTube server will crash. Upon restarting, the server will attempt to process the file again, leading to another crash. This cycle will continue, causing a persistent denial-of-service until the file is deleted from the system.

Remediation

Users can upgrade to PeerTube version 7.1.1, which addresses this vulnerability.