CVE-2025-32945: PeerTube Arbitrary Playlist Creation via REST API
First published: Tue Apr 15 2025(Updated: )
The vulnerability allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.
Credit: reefs@jfrog.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PeerTube |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-32945?
CVE-2025-32945 is classified as a high severity vulnerability due to its potential for abuse by existing users.
How can I mitigate CVE-2025-32945?
To mitigate CVE-2025-32945, users should upgrade to the fixed version of PeerTube software as provided in the releases.
What impact does CVE-2025-32945 have on my PeerTube instance?
CVE-2025-32945 allows unauthorized playlist manipulation across different user channels, compromising user content integrity.
Which versions of PeerTube are affected by CVE-2025-32945?
CVE-2025-32945 affects earlier versions of PeerTube prior to the patch included in release v7.1.1.
Who should take action regarding CVE-2025-32945?
All administrators using affected versions of PeerTube should take immediate action to upgrade to secure versions to prevent exploitation.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/title
- agent/type
- agent/first-publish-date
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/author
- agent/severity
- agent/event
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/peertube
- canonical/peertube