Security Advisories (4)
CVE-2026-57079 (2026-06-30)

Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata. Net::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (_on_metadata_received, reached from the BEP09 ut_metadata extension) passes attacker-supplied file names straight to Storage::add_file and Storage::_parse_file_tree, where Path::Tiny's child() does not collapse "..". A v2 file tree key, a v1 files[].path element, or a single-file name containing ".." segments therefore resolves outside the download directory. Because the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host.

CVE-2026-57080 (2026-06-30)

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix. The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit. Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process's memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.

CVE-2026-57082 (2026-06-30)

Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG. The MSE (Message Stream Encryption) handshake derives its 160-bit Diffie-Hellman private key from Perl's rand(), a non-cryptographic drand48-class generator seeded once per process, in KeyExchange.pm. The shared secret and the RC4 keys derived from it (the SHA-1 of "keyA" or "keyB", the shared secret, and the infohash) therefore depend entirely on a predictable PRNG. The same handshake sends, in cleartext, random padding drawn from the same rand() sequence in _random_pad, immediately after the public key and the private-key draw. A passive observer of the handshake recovers the PRNG state from the cleartext padding, reconstructs the private key, computes the shared secret from the peer's public key on the wire, derives the RC4 keys, and decrypts the connection, defeating the passive-observation obfuscation MSE provides.

CVE-2026-57081 (2026-06-30)

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.

NAME

Net::BitTorrent::Protocol::MSE::KeyExchange - Diffie-Hellman and RC4 Key Management

SYNOPSIS

use Net::BitTorrent::Protocol::MSE::KeyExchange;

my $kx = Net::BitTorrent::Protocol::MSE::KeyExchange->new(
    infohash     => $bin_ih,
    is_initiator => 1
);

# Share this with the peer
my $my_pub = $kx->public_key();

# Compute shared secret once peer's key arrives
$kx->compute_secret( $remote_pub );

# Get ready-to-use ciphers
my $cipher = $kx->encrypt_rc4();
$cipher->crypt( $plaintext );

DESCRIPTION

This module handles the 768-bit Diffie-Hellman key exchange and RC4 stream cipher management for BitTorrent encryption. It uses a fixed 768-bit safe prime (P) and generator (G=2) as defined in the MSE specification.

METHODS (KeyExchange)

new( %params )

Creates a new KeyExchange object.

Expected parameters:

infohash

The 20-byte binary infohash.

is_initiator

Boolean. True if we are the connection initiator.

compute_secret( $remote_pub_bytes )

Computes the shared secret using the remote peer's public key and derives the RC4 encryption and decryption keys. This method automatically discards the first 1024 bytes of both RC4 keystreams to mitigate known weaknesses in the RC4 cipher's initial output (a requirement of the MSE spec).

Expected parameters:

$remote_pub_bytes

The 96-byte binary public key from the peer.

get_secret( )

Returns the computed 96-byte binary shared secret.

my $s = $kx->get_secret();

get_sync_data( [$override_ih] )

Returns the hashes needed for MSE synchronization.

my ($req1, $xor_mask) = $kx->get_sync_data();

Expected parameters:

$override_ih - optional

A binary infohash to use instead of the one passed to the constructor.

verify_skey( $xor_block, $candidate_ih )

Verifies if an XORed SKEY matches a candidate infohash.

my $ok = $kx->verify_skey( $block, $ih );

Expected parameters:

$xor_block

The 20-byte XORed block from the peer.

$candidate_ih

The 20-byte binary infohash to check.

init_rc4( $ih )

Initializes the RC4 encryptor and decryptor.

$kx->init_rc4( $ih );

Expected parameters:

$ih

The negotiated binary infohash.

scan_for_vc( $buffer )

Scans a buffer for the encrypted Verification Constant (VC).

my $offset = $kx->scan_for_vc( $incoming_data );

This method uses brute force to find the sync point in an encrypted stream.

Expected parameters:

$buffer

The raw data buffer to scan.

infohash( )

Returns the configured infohash.

is_initiator( )

Returns true if we are the connection initiator.

public_key( )

Returns our 96-byte binary public key.

encrypt_rc4( )

Returns the Net::BitTorrent::Protocol::MSE::RC4 object for encryption.

decrypt_rc4( )

Returns the Net::BitTorrent::Protocol::MSE::RC4 object for decryption.

METHODS (RC4)

discard( $bytes )

Discards bytes from the PRGA stream.

$rc4->discard( 1024 );

Expected parameters:

$bytes

The number of bytes to discard.

crypt( $data )

XORs data with the RC4 stream.

my $cipher = $rc4->crypt( $plain );

Expected parameters:

$data

The binary data to process.

snapshot( )

Returns a lightweight snapshot of the RC4 state.

my $snap = $rc4->snapshot();

restore( $snap )

Restores the RC4 state from a snapshot.

$rc4->restore( $snap );

Expected parameters:

$snap

The snapshot data.

AUTHOR

Sanko Robinson <sanko@cpan.org>

COPYRIGHT

Copyright (C) 2008-2026 by Sanko Robinson.

This library is free software; you can redistribute it and/or modify it under the terms of the Artistic License 2.0.