Security Advisories (4)
CVE-2026-57079 (2026-06-30)

Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata. Net::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (_on_metadata_received, reached from the BEP09 ut_metadata extension) passes attacker-supplied file names straight to Storage::add_file and Storage::_parse_file_tree, where Path::Tiny's child() does not collapse "..". A v2 file tree key, a v1 files[].path element, or a single-file name containing ".." segments therefore resolves outside the download directory. Because the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host.

CVE-2026-57080 (2026-06-30)

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix. The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit. Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process's memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.

CVE-2026-57082 (2026-06-30)

Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG. The MSE (Message Stream Encryption) handshake derives its 160-bit Diffie-Hellman private key from Perl's rand(), a non-cryptographic drand48-class generator seeded once per process, in KeyExchange.pm. The shared secret and the RC4 keys derived from it (the SHA-1 of "keyA" or "keyB", the shared secret, and the infohash) therefore depend entirely on a predictable PRNG. The same handshake sends, in cleartext, random padding drawn from the same rand() sequence in _random_pad, immediately after the public key and the private-key draw. A passive observer of the handshake recovers the PRNG state from the cleartext padding, reconstructs the private key, computes the shared secret from the peer's public key on the wire, derives the RC4 keys, and decrypts the connection, defeating the passive-observation obfuscation MSE provides.

CVE-2026-57081 (2026-06-30)

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.

NAME

Net::BitTorrent::Protocol::PeerHandler - High-level Peer Protocol Orchestrator

SYNOPSIS

# Inherits from BEP 06, which inherits from BEP 52, then BEP 11, etc.
use Net::BitTorrent::Protocol::PeerHandler;

my $handler = Net::BitTorrent::Protocol::PeerHandler->new(
    infohash => $ih,
    peer_id   => $id,
    features  => { bep06 => 1, bep10 => 1 }
);

# Link to the high-level Peer object
$handler->set_peer( $peer );

# Feed raw data from the transport
$handler->receive_data( $raw_bytes );

DESCRIPTION

Net::BitTorrent::Protocol::PeerHandler is the "brain" of the Peer Wire Protocol implementation. It utilizes multiple inheritance (via the class feature) to consolidate all supported BitTorrent extensions into a single, unified interface.

It works closely with Net::BitTorrent::Peer to manage the lifecycle of a connection:

1. Handshake: Negotiates protocol version (v1 vs v2) and reserved bits.
2. Extensions: If BEP 10 is negotiated, it exchanges extended handshakes to discover support for PEX, Metadata, etc.
3. Steady State: Dispatches standard messages (Piece, Request) and extensions (PEX, Merkle hashes) to the high-level Peer object.

Supported Extensions:

  • BEP 03: Standard Handshake and Core Messages (Choke, Have, Request, etc.)

  • BEP 06 (Fast): Reduced latency messages (Allowed Fast, Suggest Piece, Reject)

  • BEP 09 (Metadata): UT_METADATA exchange for Magnet links.

  • BEP 10 (Extension): Capability negotiation.

  • BEP 11 (PEX): Peer Exchange.

  • BEP 52 (v2): Merkle Tree synchronization (HASHES, HASH_REQUEST).

  • BEP 55 (Holepunch): NAT traversal support.

METHODS

set_peer( $peer )

Associates the handler with a Peer object.

$handler->set_peer( $peer_obj );

Expected parameters:

$peer

The Net::BitTorrent::Peer object.

handshake event

Emitted when a PWP handshake is completed.

$proto->on( handshake => sub ( $self, $infohash, $peer_id ) { ... } );

Expected parameters:

$infohash

The 20 or 32-byte infohash.

$peer_id

The 20-byte peer ID.

ext_handshake event

Emitted when an extended handshake is received.

$proto->on( ext_handshake => sub ( $self, $data ) { ... } );

Expected parameters:

$data

The decoded handshake dictionary.

metadata_request event

Emitted when a metadata request is received.

$proto->on( metadata_request => sub ( $self, $piece ) { ... } );

Expected parameters:

$piece

The piece index.

metadata_data event

Emitted when metadata data is received.

$proto->on( metadata_data => sub ( $self, $piece, $total_size, $data ) { ... } );

Expected parameters:

$piece

The piece index.

$total_size

The total metadata size.

$data

The piece data.

metadata_reject event

Emitted when a metadata request is rejected.

$proto->on( metadata_reject => sub ( $self, $piece ) { ... } );

Expected parameters:

$piece

The piece index.

hash_request event

Emitted when a Merkle tree hash request is received (BEP 52).

$proto->on( hash_request => sub ( $self, $root, $proof_layer, $base_layer, $index, $length ) { ... } );

Expected parameters:

$root

The 32-byte Merkle root.

$proof_layer

The proof layer index.

$base_layer

The base layer index.

$index

The starting index.

$length

The number of hashes.

hashes event

Emitted when Merkle tree hashes are received.

$proto->on( hashes => sub ( $self, $root, $proof_layer, $base_layer, $index, $length, $hashes ) { ... } );

Expected parameters:

$root

The 32-byte Merkle root.

$proof_layer

The proof layer.

$base_layer

The base layer.

$index

The starting index.

$length

The number of hashes.

$hashes

The binary hashes.

hash_reject event

Emitted when a hash request is rejected.

$proto->on( hash_reject => sub ( $self, $root, $proof_layer, $base_layer, $index, $length ) { ... } );

Expected parameters:

$root

The 32-byte Merkle root.

$proof_layer

The proof layer.

$base_layer

The base layer.

$index

The starting index.

$length

The number of hashes.

pex event

Emitted when PEX data is received.

$proto->on( pex => sub ( $self, $added, $dropped, $added6, $dropped6 ) { ... } );

Expected parameters:

$added

Added IPv4 peers.

$dropped

Dropped IPv4 peers.

$added6

Added IPv6 peers.

$dropped6

Dropped IPv6 peers.

hp_rendezvous event

Emitted when a holepunch rendezvous is requested.

$proto->on( hp_rendezvous => sub ( $self, $id ) { ... } );

Expected parameters:

$id

The target peer ID.

hp_connect event

Emitted when a holepunch connect instruction is received.

$proto->on( hp_connect => sub ( $self, $ip, $port ) { ... } );

Expected parameters:

$ip

The IP address.

$port

The port number.

hp_error event

Emitted when a holepunch error is received.

$proto->on( hp_error => sub ( $self, $err ) { ... } );

Expected parameters:

$err

The error code.

peer( )

Returns the associated Peer object.

my $p = $handler->peer();

AUTHOR

Sanko Robinson <sanko@cpan.org>

COPYRIGHT

Copyright (C) 2008-2026 by Sanko Robinson.

This library is free software; you can redistribute it and/or modify it under the terms of the Artistic License 2.0.