Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-delivered exploit requires no privileges; arbitrary file write is high Integrity impact; no Confidentiality or Availability impact described.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata.
Net::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (_on_metadata_received, reached from the BEP09 ut_metadata extension) passes attacker-supplied file names straight to Storage::add_file and Storage::_parse_file_tree, where Path::Tiny's child() does not collapse "..". A v2 file tree key, a v1 files[].path element, or a single-file name containing ".." segments therefore resolves outside the download directory.
Because the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host.
AnalysisAI
Arbitrary file write in Net::BitTorrent 2.0.1 and earlier allows a malicious BitTorrent peer to place attacker-controlled content at attacker-chosen filesystem paths outside the designated download directory. The library validates path components on the .torrent ingest path but omits identical validation for peer-supplied metadata received via the BEP09 ut_metadata extension, causing file names containing '..' segments to resolve to traversal targets when passed to Storage::add_file. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be running an application built on Net::BitTorrent 2.0.1 or earlier and must initiate a download that results in a peer connection to the attacker's node - either by opening a crafted magnet link or by the client peering with a malicious node in a shared swarm. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official NVD CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, score 5.3) contains a significant metric conflict with the vulnerability description: the vector assigns C:L (Confidentiality: Low) and I:N (Integrity: None), yet the described impact is unambiguously an arbitrary file write - an Integrity violation with no described Confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker deploys a malicious BitTorrent peer and distributes a crafted magnet link via a forum, email, or torrent index site. When a victim's Perl application using Net::BitTorrent opens the magnet link and connects to the attacker's peer, the peer advertises BEP09 ut_metadata containing a files[].path entry such as ['..', '..', '.ssh', 'authorized_keys'] and simultaneously serves piece data - a crafted SSH public key - with matching hashes. … |
| Remediation | Consult the vendor security advisory at https://github.com/sanko/Net-BitTorrent.pm/security/advisories/GHSA-5wc6-r65f-62rr for the confirmed patched release version, which was not independently specified in the available data; upgrade to that version as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "pani
The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic:
Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe
.NET and Visual Studio Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is re
.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this v
Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.
Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name
Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40288
GHSA-5gfq-2rx4-6vwv