Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata.
Net::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (onmetadatareceived, reached from the BEP09 utmetadata extension) passes attacker-supplied file names straight to Storage::addfile and Storage::parsefiletree, where Path::Tiny's child() does not collapse "..". A v2 file tree key, a v1 files[].path element, or a single-file name containing ".." segments therefore resolves outside the download directory.
Because the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57079.json",
"cwe_ids": [
"CWE-22"
],
"cna_assigner": "CPANSec"
}{
"source": [
"AFFECTED_FIELD",
"DESCRIPTION"
],
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.1"
},
{
"fixed": "2.0.1"
}
]
}