What vulnerability was discovered in qBittorrent?

A critical vulnerability in qBittorrent, affecting versions 3.2.1 through 5.0.0, was discovered, allowing remote code execution (RCE) through multiple attack vectors. This flaw, due to the DownloadManager class’s failure to validate SSL/TLS certificates, makes qBittorrent vulnerable to man-in-the-middle (MITM) attacks, enabling attackers to inject malicious code.

What caused the vulnerability in qBittorrent?

The vulnerability was caused by the DownloadManager component in qBittorrent, which failed to validate SSL/TLS certificates, including expired or self-signed certificates. This lack of validation allows attackers to impersonate servers and manipulate network traffic, potentially infecting users with malware.

What are some exploit vectors associated with this qBittorrent vulnerability?

Exploit vectors highlighted include: a malicious Python loader installation via intercepted prompts, fake update injection through manipulated XML feeds, RSS feed manipulation inserting malicious torrent links, and GeoIP database exploitation by replacing it with a crafted file to trigger vulnerabilities during decompression.

How long did the qBittorrent vulnerability persist?

The vulnerability persisted for over 14 years, from April 2010 until it was patched in version 5.0.1, released on October 28, 2024.

What is the recommended action for qBittorrent users?

Users on affected versions (3.2.1 to 5.0.0) should immediately upgrade to version 5.0.1 or later, as this patch includes SSL/TLS certificate validation. Users may also consider using alternative torrent clients such as Deluge or Transmission, which do not have this SSL/TLS vulnerability.

When was the qBittorrent vulnerability patched?

The vulnerability was patched in qBittorrent version 5.0.1, which was released on October 28, 2024. Prior to this, a default behavior change on October 12, 2024, mandated SSL/TLS certificate verification to address security concerns.

Are there alternative torrent clients without this SSL/TLS vulnerability?

Yes, Deluge and Transmission are alternative torrent clients that do not have this SSL/TLS certificate validation flaw found in earlier versions of qBittorrent.

Advisory

Critical security vulnerability patched in qBittorrent

published: Nov. 1, 2024

Take action: If you are using qBittorrent, patch ASAP. It's a torrent download manager, nothing complicated to update. So do it ASAP.

Learn More

A critical security vulnerability is reported in qBittorrent, affecting versions 3.2.1 through 5.0.0, allowing remote code execution (RCE) through various attack vectors due to failure in SSL/TLS certificate validation within the application's DownloadManager class.

Introduced in April 2010, this flaw persisted for over 14 years, enabling attackers to conduct man-in-the-middle (MITM) attacks and inject malicious code into affected systems by exploiting the platform’s indiscriminate acceptance of certificates.

The flaw, (no CVE ID) stems from DownloadManager, a component that handles downloading processes without validating SSL/TLS certificates, including expired or self-signed ones. This oversight opens up several security risks, as it fails to authenticate servers’ legitimacy and allows attackers to manipulate network traffic, potentially leading to malware infections or unauthorized data access.

Security researchers from Sharp Security highlighted multiple exploit vectors due to this vulnerability:

Malicious Python Loader: On Windows, qBittorrent prompts users to install Python from a hardcoded URL if it’s required for search plugins. Without certificate validation, an attacker can intercept this prompt, replacing it with a malicious Python executable to achieve RCE.
Fake Update Injection: qBittorrent retrieves update information from an XML feed hosted on a hardcoded URL. By intercepting this request, an attacker could modify the update link, directing users to a compromised executable.
RSS Feed Manipulation: The app’s RSS feed parsing, which lacks validation, allows attackers to insert malicious URLs as legitimate torrent links. This can lead users to inadvertently download malware.
GeoIP Database Exploit: qBittorrent automatically downloads and decompresses the MaxMind GeoIP database from a fixed URL. If an attacker replaces this file with a maliciously crafted archive, it could exploit vulnerabilities in decompression libraries, such as buffer overflow issues in zlib.

The vulnerability was addressed with a patch in version 5.0.1, released on October 28, 2024, following a default behavior change on October 12, 2024, which now mandates SSL/TLS certificate verification. Users on affected versions are urged to:

Upgrade Immediately to Version 5.0.1 or Later: This patch ensures that SSL/TLS certificates are validated, preventing MITM attacks.
Consider Alternative Torrent Clients: Deluge and Transmission are potential alternatives without this SSL/TLS flaw.

Critical security vulnerability patched in qBittorrent

Read More
Google patches Chrome critical and high severity vulnerabilities
Windows vulnerability CVE-2024-26169 exploited by Black Basta ransomware …
Apple issues (second) emergency fix for vulnerabilities exploited …
Directory traversal flaw in WinRAR enables remote code …
Microsoft November 2025 Patch Tuesday fixes one exploited …