An authenticated SQL injection vulnerability, tracked as CVE-2025-64519, has been discovered in TorrentPier, the popular open-source BitTorrent tracker engine. The flaw, affecting versions up to and including 2.8.8, allows malicious actors with moderator privileges to execute arbitrary SQL queries, posing a significant risk to the integrity and confidentiality of database information.
The vulnerability resides within the moderator control panel (modcp.php), specifically in how it handles the topic_id parameter. While exploitation requires an attacker to first gain moderator access—either through a compromised account or an insider threat—the consequences are severe. A successful attack grants direct access to the underlying database, enabling the disclosure, modification, or even deletion of any stored data. Security researchers have classified this defect as high severity, underscored by a CVSS 3.1 score, due to the extensive data manipulation capabilities it grants.
Developers have swiftly addressed this issue, with a specific patch available in commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80 on the TorrentPier GitHub repository. This fix enhances input sanitization, effectively preventing the injection of malicious SQL code.
Organizations utilizing TorrentPier are strongly advised to take immediate action:
- Update their installations promptly to the patched version.
- Conduct a thorough validation of database integrity following the update to ensure no unauthorized changes were made prior to remediation.
- Review moderator accounts for any suspicious activity.
The vulnerability, first detailed on CVEFEED.io on November 11, 2025, serves as a fresh reminder of the persistent threat posed by SQL injection attacks, even when protected by authentication barriers. Continuous vigilance and prompt patching remain critical across all software environments.