Server-Side Request Forgery (SSRF) in chocobozzz/peertube


Reported on

Feb 5th 2022


First of all, Thanks to my friend Haxatron for his excellent report

I read the fix commit, and I found out that the code only Checked the IP addresses and didn't check the domain names that refer to a private IP address

Steps to reproduce

first, set up a local server at and put a media file on it named 1.mp4.

second, use the following URL to import A video with URL upload when you want to publish a video:


You can see that the local server files can be enumerated, and even if there is any media file with a guessable name, it can be leaked through the URL download procedure.

We are processing your report and will contact the chocobozzz/peertube team within 24 hours. a year ago
We have contacted a member of the chocobozzz/peertube team and are waiting to hear back a year ago
chocobozzz validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
chocobozzz marked this as fixed in Not released yet with commit f33e51 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
video-imports.ts#L78 has been validated
to join this conversation