CVE-2026-57079
Received Received - Intake

Path Traversal in Net::BitTorrent Perl Module

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: CPANSec

Description
Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata. Net::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (_on_metadata_received, reached from the BEP09 ut_metadata extension) passes attacker-supplied file names straight to Storage::add_file and Storage::_parse_file_tree, where Path::Tiny's child() does not collapse "..". A v2 file tree key, a v1 files[].path element, or a single-file name containing ".." segments therefore resolves outside the download directory. Because the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-57079
EUVD
EUVD-2026-40288

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sanko net_bittorrent to 2.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Net::BitTorrent versions up to 2.0.1 for Perl have a critical path traversal vulnerability. This occurs because the software validates file path components only when processing .torrent files, but does not validate paths received from peers or magnet metadata. Attackers can supply malicious metadata containing path traversal sequences (like ".." segments) that cause files to be written outside the intended download directory.

Since the attacker controls both the file paths and the piece hashes, the content verification passes, allowing arbitrary files with attacker-chosen content to be written anywhere on the downloading host's filesystem.

Compliance Impact

The vulnerability allows attackers to write arbitrary files to paths outside the intended download directory on the victim's host. This unauthorized file write capability could lead to unauthorized data modification, potential data breaches, or remote code execution.

Such unauthorized access and modification of files may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and system security.

Specifically, if sensitive personal or health information is stored or processed on the affected system, this vulnerability could lead to violations of these regulations due to potential unauthorized data exposure or alteration.

Impact Analysis

This vulnerability allows a remote attacker to write arbitrary files to any location on the victim's system where the BitTorrent client runs. Because the attacker controls the file content and path, they can potentially overwrite critical system files or place malicious executables, leading to remote code execution.

The impact includes unauthorized modification or creation of files, possible system compromise, and execution of arbitrary code, which can lead to full control over the affected system.

Detection Guidance

This vulnerability can be detected by monitoring for unusual file writes outside the expected download directory, especially files created via Net::BitTorrent that contain path traversal sequences such as ".." in their paths.

Since the vulnerability involves arbitrary file writes via malicious magnet or peer metadata, you can look for suspicious magnet links or peer metadata containing path traversal patterns.

Commands to help detect exploitation attempts might include searching for recently modified files outside the normal download directory or scanning logs for suspicious magnet URIs.

  • Find files modified recently outside the download directory (example for Linux): find /path/to/expected/downloads/.. -type f -mtime -1
  • Search for magnet links containing ".." sequences in logs or configuration files: grep -r "magnet:.*\.\.\/" /var/log/net_bittorrent/
  • Monitor file system activity for unexpected writes using tools like auditd or inotify.
Mitigation Strategies

Immediate mitigation involves updating Net::BitTorrent to a version that includes the fix for this path traversal vulnerability.

The fix applies proper path validation to peer and magnet metadata paths, preventing attacker-supplied path traversal sequences from writing files outside the download directory.

Until an update can be applied, restrict or monitor the use of magnet links and peers from untrusted sources to reduce the risk of exploitation.

  • Apply the patch or upgrade Net::BitTorrent to a version later than v2.0.1 where the vulnerability is fixed.
  • Implement network controls to limit connections to trusted peers.
  • Monitor and audit file system changes for suspicious activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57079. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart