CVE-2025-32946

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-32946

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-32946.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-32946

Published

2025-04-15T13:15:55Z

Modified

2025-05-24T03:41:27.204649Z

Summary

[none]

Details

This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.

References

Affected packages

Git / github.com/chocobozzz/peertube

Affected ranges

Type: GIT
Repo: https://github.com/chocobozzz/peertube
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b9c3a4837e6a5e5d790e55759e3cf2871df4f03c

Affected versions

test-tag-1.*

test-tag-1.0.0

v0.*

v0.0.11-alpha

v0.0.12-alpha

v0.0.13-alpha

v0.0.14-alpha

v0.0.16-alpha

v0.0.17-alpha

v0.0.18-alpha

v0.0.19-alpha

v0.0.20-alpha

v0.0.21-alpha

v0.0.22-alpha

v0.0.23-alpha

v0.0.27-alpha

v0.0.28-alpha

v0.0.29-alpha

v0.0.3-alpha

v0.0.4-alpha

v0.0.5-alpha

v0.0.6-alpha

v0.0.8-alpha

v0.0.9-alpha

v1.*

v1.0.0

v1.0.0-alpha.1

v1.0.0-alpha.10

v1.0.0-alpha.2

v1.0.0-alpha.3

v1.0.0-alpha.4

v1.0.0-alpha.5

v1.0.0-alpha.6

v1.0.0-alpha.7

v1.0.0-alpha.8

v1.0.0-alpha.9

v1.0.0-beta.1

v1.0.0-beta.10

v1.0.0-beta.10.pre.1

v1.0.0-beta.10.pre.2

v1.0.0-beta.10.pre.3

v1.0.0-beta.11

v1.0.0-beta.12

v1.0.0-beta.13

v1.0.0-beta.14

v1.0.0-beta.15

v1.0.0-beta.16

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.5

v1.0.0-beta.6

v1.0.0-beta.7

v1.0.0-beta.8

v1.0.0-beta.9

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.1

v1.1.0

v1.1.0-alpha.1

v1.1.0-rc.1

v1.2.0

v1.2.0-rc.1

v1.2.1

v1.3.0

v1.3.0-rc.1

v1.3.0-rc.2

v1.3.1

v1.4.0

v1.4.0-rc.1

v1.4.1

v2.*

v2.0.0

v2.0.0-rc.1

v2.1.0

v2.1.0-rc.1

v2.1.1

v2.2.0

v2.2.0-rc.1

v2.3.0

v2.3.0-rc.1

v2.4.0

v2.4.0-rc.1

v3.*

v3.0.0

v3.0.0-rc.1

v3.0.1

v3.1.0

v3.1.0-rc.1

v3.2.0

v3.2.0-rc.1

v3.2.1

v3.3.0

v3.3.0-rc.1

v3.4.0

v3.4.0-rc.1

v3.4.1

v4.*

v4.0.0

v4.0.0-rc.1

v4.1.0

v4.1.0-rc.1

v4.1.1

v4.2.0

v4.2.0-rc.1

v4.2.1

v4.2.2

v4.3.0

v4.3.0-rc.1

v4.3.1

v5.*

v5.0.0

v5.0.0-rc.1

v5.0.1

v5.1.0

v5.1.0-rc.1

v5.2.0

v5.2.0-rc.1

v5.2.1

v6.*

v6.0.0

v6.0.0-rc.1

v6.0.0-rc.2

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.1.0

v6.1.0-rc.1

v6.2.0

v6.2.0-rc.1

v6.2.1

v6.3.0

v6.3.0-rc.1

v6.3.1

v6.3.2

v6.3.3

v7.*

v7.0.0

v7.0.0-rc.1

v7.0.1

v7.1.0

v7.1.0-rc.1