Improper Access Control in chocobozzz/peertube


Reported on

Dec 31st 2021


Unauthenticated users can obtain the caption of private videos

Proof of Concept

1: First, create a private video and upload a caption

2: As an unauthenticated user, logout and visit the


3: The response should return a lazy-static URL

{"total":1,"data":[{"language":{"id":"ase","label":"American Sign Language"},"captionPath":"/lazy-static/video-captions/62569eec-cdf5-4582-9cb0-af07d20d900c-ase.vtt"}]}

4: Visit the lazy-static URL and see you can access captions while unauthenticated.


This vulnerability is capable of disclosure of captions of private videos to unauthenticated users.

We are processing your report and will contact the chocobozzz/peertube team within 24 hours. a year ago
We have contacted a member of the chocobozzz/peertube team and are waiting to hear back a year ago
We have sent a follow up to the chocobozzz/peertube team. We will try again in 7 days. a year ago
chocobozzz validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
chocobozzz marked this as fixed in Not released yet with commit 795212 a year ago
chocobozzz has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation