CVE-2026-57079 | Net::BitTorrent versions through 2.0.1 for Perl write files … | CVSS 5.3 MEDIUM

Description

Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata. Net::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (_on_metadata_received, reached from the BEP09 ut_metadata extension) passes attacker-supplied file names straight to Storage::add_file and Storage::_parse_file_tree, where Path::Tiny's child() does not collapse "..". A v2 file tree key, a v1 files[].path element, or a single-file name containing ".." segments therefore resolves outside the download directory. Because the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host.

Metadata

CVE ID: CVE-2026-57079
State: PUBLISHED
Assigner: CPANSec
Reserved: 2026-06-23 18:20 UTC
Published: 2026-06-30 11:04 UTC
Last updated: 2026-06-30 13:52 UTC
Primary CWE: CWE-22
CWE-22 Improper Limitation of a Pathname to a Restricted Dir…
Vendor / Product: SANKO / Net::BitTorrent
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
SANKO	Net::BitTorrent	—	0 ≤ 2.0.1

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (1)

https://github.com/sanko/Net-BitTorrent.pm/security/advisories/GHSA-5wc6-r65f-62rr