Skip to main content

Net::BitTorrent EUVDEUVD-2026-40288

| CVE-2026-57079 MEDIUM
Path Traversal (CWE-22)
2026-06-30 CPANSec GHSA-5gfq-2rx4-6vwv
5.3
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
7.5 HIGH

Network-delivered exploit requires no privileges; arbitrary file write is high Integrity impact; no Confidentiality or Availability impact described.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 30, 2026 - 14:25 vuln.today
CVSS changed
Jun 30, 2026 - 14:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 11:04 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata.

Net::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (_on_metadata_received, reached from the BEP09 ut_metadata extension) passes attacker-supplied file names straight to Storage::add_file and Storage::_parse_file_tree, where Path::Tiny's child() does not collapse "..". A v2 file tree key, a v1 files[].path element, or a single-file name containing ".." segments therefore resolves outside the download directory.

Because the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host.

AnalysisAI

Arbitrary file write in Net::BitTorrent 2.0.1 and earlier allows a malicious BitTorrent peer to place attacker-controlled content at attacker-chosen filesystem paths outside the designated download directory. The library validates path components on the .torrent ingest path but omits identical validation for peer-supplied metadata received via the BEP09 ut_metadata extension, causing file names containing '..' segments to resolve to traversal targets when passed to Storage::add_file. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Distribute crafted magnet link to victim
Delivery
Victim's Net::BitTorrent client connects to malicious peer
Exploit
Malicious peer delivers BEP09 ut_metadata with '..' path traversal in file list
Install
_on_metadata_received passes names to Storage::add_file without validation
C2
Path::Tiny child() resolves traversal outside download directory
Execute
Attacker serves payload bytes with matching piece hashes
Impact
Content verification passes; attacker-controlled file written to arbitrary path

Vulnerability AssessmentAI

Exploitation The victim must be running an application built on Net::BitTorrent 2.0.1 or earlier and must initiate a download that results in a peer connection to the attacker's node - either by opening a crafted magnet link or by the client peering with a malicious node in a shared swarm. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official NVD CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, score 5.3) contains a significant metric conflict with the vulnerability description: the vector assigns C:L (Confidentiality: Low) and I:N (Integrity: None), yet the described impact is unambiguously an arbitrary file write - an Integrity violation with no described Confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker deploys a malicious BitTorrent peer and distributes a crafted magnet link via a forum, email, or torrent index site. When a victim's Perl application using Net::BitTorrent opens the magnet link and connects to the attacker's peer, the peer advertises BEP09 ut_metadata containing a files[].path entry such as ['..', '..', '.ssh', 'authorized_keys'] and simultaneously serves piece data - a crafted SSH public key - with matching hashes. …
Remediation Consult the vendor security advisory at https://github.com/sanko/Net-BitTorrent.pm/security/advisories/GHSA-5wc6-r65f-62rr for the confirmed patched release version, which was not independently specified in the available data; upgrade to that version as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Net

View all
CVE-2026-33811 HIGH POC
7.5 May 07

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali

CVE-2018-17848 HIGH POC
7.5 Oct 01

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "

CVE-2018-17847 HIGH POC
7.5 Oct 01

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading

CVE-2018-17143 HIGH POC
7.5 Sep 17

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a

CVE-2018-17142 HIGH POC
7.5 Sep 17

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "pani

CVE-2018-17075 HIGH POC
7.5 Sep 16

The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic:

CVE-2026-45491 MEDIUM POC
5.5 Jun 09

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe

CVE-2024-43498 CRITICAL
9.8 Nov 12

.NET and Visual Studio Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-36049 CRITICAL
9.8 Nov 14

.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this v

CVE-2024-57854 CRITICAL
9.1 Mar 05

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

CVE-2026-11373 CRITICAL
9.1 Jun 22

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name

CVE-2026-45591 HIGH
7.5 Jun 09

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru

Share

EUVD-2026-40288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy