PeerTube Zip Bomb Archive Extraction Resource Exhaustion Vulnerability

A vulnerability in PeerTube versions through 7.1.0 allows authenticated users to upload archives that, when extracted, consume excessive disk space, leading to resource exhaustion. This issue arises because the default user import feature does not check for maliciously crafted zip files, known as Zip Bombs, which can cause significant disk space depletion during extraction.

Impact

Exploitation of this vulnerability causes excessive disk space consumption, which can lead to server performance degradation or failure.

Reproduction

To reproduce this vulnerability, log into a PeerTube instance with any user's credentials and obtain the authorization token. Then, create a Zip Bomb named 'evil.zip' and upload it using the PeerTube API's user import endpoint, replacing the authorization token in the request. Once the upload is complete, the PeerTube server will begin extracting the Zip Bomb, causing disk space resource exhaustion.

Remediation

Users can update to PeerTube version 7.1.1, which includes a fix for this vulnerability.