CVE-2024-40624

Deserialization of untrusted data in torrentpier/torrentpier

Description

TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability.

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.31%
Affected: torrentpier torrentpier
Published at:
Updated at:

References

Link Tags
https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw
https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e
https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60

Frequently Asked Questions

What is the severity of CVE-2024-40624?
CVE-2024-40624 has been scored as a critical severity vulnerability.
How to fix CVE-2024-40624?
To fix CVE-2024-40624, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-40624 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-40624 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-40624?
CVE-2024-40624 affects torrentpier torrentpier.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.