Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Passive network interception of handshake needed (AC:H, AV:N); no credentials required (PR:N); full RC4 session decryption possible (C:H); no write or disruption capability (I:N, A:N).
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG.
The MSE (Message Stream Encryption) handshake derives its 160-bit Diffie-Hellman private key from Perl's rand(), a non-cryptographic drand48-class generator seeded once per process, in KeyExchange.pm. The shared secret and the RC4 keys derived from it (the SHA-1 of "keyA" or "keyB", the shared secret, and the infohash) therefore depend entirely on a predictable PRNG. The same handshake sends, in cleartext, random padding drawn from the same rand() sequence in _random_pad, immediately after the public key and the private-key draw.
A passive observer of the handshake recovers the PRNG state from the cleartext padding, reconstructs the private key, computes the shared secret from the peer's public key on the wire, derives the RC4 keys, and decrypts the connection, defeating the passive-observation obfuscation MSE provides.
AnalysisAI
MSE Diffie-Hellman key exchange in Net::BitTorrent (Perl, all versions through 2.0.1) is rendered cryptographically transparent to passive network observers because Perl's non-cryptographic rand() function generates the 160-bit DH private key in KeyExchange.pm, and the same PRNG sequence simultaneously produces cleartext random padding transmitted during the same handshake. A passive eavesdropper who captures the handshake can recover the drand48 PRNG state from the observable padding bytes, reconstruct the private key, derive the RC4 session keys, and fully decrypt the MSE-encrypted stream - completely defeating the passive-observation obfuscation MSE is designed to provide. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | MSE must be enabled and actively used - it is the default encrypted connection mode in Net::BitTorrent, so default deployments are affected without any special configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) accurately characterizes the attack as network-accessible but high-complexity, since successful exploitation requires a network-positioned passive observer who can capture a complete MSE handshake. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An ISP-level passive observer or local network attacker captures the complete MSE DH handshake between a Net::BitTorrent ≤ 2.0.1 client and a remote peer, extracting the cleartext random padding bytes emitted by _random_pad. The observer feeds these bytes into a drand48 state-recovery tool, reconstructs the internal PRNG state, rewinds to derive the 160-bit DH private key, and computes the shared secret using the peer's public DH key already visible on the wire; the observer then derives the RC4 keystream and decrypts the full MSE-encrypted session. … |
| Remediation | Consult the vendor GitHub Security Advisory at https://github.com/sanko/Net-BitTorrent.pm/security/advisories/GHSA-g444-x2c5-94hc for the patched release version - no exact fixed version number was present in the provided intelligence, so that advisory must be used to confirm the minimum safe version before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "pani
The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic:
Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe
.NET and Visual Studio Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is re
.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this v
Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.
Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name
Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40291
GHSA-3x8p-9jc8-598w