CVE-2026-57079

Name of the Vulnerable Software and Affected Versions Net::BitTorrent versions prior to 2.0.2

Description An issue exists where files can be written outside the designated download directory due to path traversal in peer-supplied metadata. While file path components are validated during .torrent-file ingestion, the metadata path handled by the on metadata received() function (accessed via the BEP09 ut metadata extension) passes attacker-supplied file names directly to Storage::add file() and Storage:: parse file tree(). Because the child() function in Path::Tiny does not collapse ".." segments, a v2 file tree key, a v1 files[].path element, or a single-file name containing these segments can resolve to locations outside the download directory. Since the peer also controls piece hashes and served bytes, content verification is bypassed, allowing an attacker to write arbitrary content to an arbitrary path on the host.

Recommendations Update Net::BitTorrent to a version newer than 2.0.1.