Impact
Net::BitTorrent for Perl decodes bencoded data by recursing once for each nested list or dictionary without imposing any depth limit; each recursive call passes the remaining buffer by value, so every active stack frame keeps a copy of the shrinking input, resulting in quadratic memory growth (O(N ²)). A crafted payload with roughly 150 000 nested lists—about 150 KB on the wire—drives peak memory consumption into the multiple gigabyte range, which can crash or severely degrade the client. This flaw exemplifies uncontrolled resource consumption (CWE‑400) and uncontrolled recursion (CWE‑674).
Affected Systems
All releases of SANKO Net::BitTorrent through version 2.0.1 are affected. Because the decoder processes every untrusted bencode source—including .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses—any client that incorporates this module is vulnerable regardless of its deployment environment.
Risk and Exploitability
The flaw is a classic remote memory exhaustion vulnerability. The decoder operates on any untrusted bencoded input, so an attacker can trigger it by sending a single deeply nested payload from any peer, or by delivering a crafted .torrent file or magnet link. Based on the description, it is inferred that exploitation requires only that the client receive the payload; no special privileges or additional setup are needed. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the severe resource exhaustion and lack of mitigation mean that the risk remains high; the CVSS score of 7.5 confirms a high severity.
OpenCVE Enrichment