CVE-2025-64519 Overview
CVE-2025-64519 is an authenticated SQL injection vulnerability in TorrentPier, an open source BitTorrent public/private tracker engine written in PHP. The flaw affects all versions up to and including 2.8.8 and resides in the moderator control panel script modcp.php. A user with moderator privileges can supply a malicious topic_id (t) parameter to execute arbitrary SQL queries against the backend database. Successful exploitation leads to disclosure, modification, or deletion of any data stored by the application. The vulnerability is tracked under CWE-89 and addressed in commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80.
Critical Impact
An authenticated moderator can read, modify, or delete arbitrary database records, compromising the confidentiality, integrity, and availability of the tracker.
Affected Products
- TorrentPier versions up to and including 2.8.8
- The modcp.php moderator control panel component
- Deployments that grant the moderator role to multiple users
Discovery Timeline
- 2025-11-10 - CVE-2025-64519 published to the National Vulnerability Database (NVD)
- 2025-12-31 - Last updated in NVD database
Technical Details for CVE-2025-64519
Vulnerability Analysis
The vulnerability is a classic SQL Injection [CWE-89] in the moderator control panel. The modcp.php endpoint accepts a t (topic_id) request parameter and incorporates it into an SQL statement without proper sanitization or parameterization. Because the parameter is concatenated directly into a query, an authenticated moderator can break out of the intended SQL context and append arbitrary clauses.
The attack requires authentication and moderator-level permissions, which lowers the attacker pool but does not eliminate risk. Forum communities frequently delegate moderator rights to many users, and any compromised moderator account becomes a vector. Once exploited, the attacker can execute UNION-based extraction, blind boolean or time-based inference, and write operations such as UPDATE or DELETE against any table the database user can reach.
Root Cause
The root cause is missing input validation and the absence of parameterized queries on the topic_id parameter handled by modcp.php. User-supplied input flows into a dynamic SQL string used by the moderator workflow. The patch in commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80 corrects the handling so the parameter is treated as data rather than as part of the SQL grammar.
Attack Vector
The attack is delivered over the network through standard HTTP requests to the TorrentPier web application. An authenticated moderator submits a crafted t parameter to modcp.php containing SQL metacharacters and injected clauses. The server executes the resulting query against the backend database and returns observable changes in responses, timing, or stored data. No user interaction beyond the attacker's own authenticated session is required.
For technical specifics, see the GitHub Security Advisory GHSA-4rwr-8c3m-55f6 and the upstream patch commit.
Detection Methods for CVE-2025-64519
Indicators of Compromise
- HTTP requests to modcp.php containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the t parameter.
- Web server access logs showing unusually long or URL-encoded t values originating from moderator accounts.
- Database error messages referencing syntax errors triggered by modcp.php queries.
- Unexpected UPDATE or DELETE operations against TorrentPier tables outside of normal moderation workflows.
Detection Strategies
- Inspect web application firewall (WAF) logs for SQL injection signatures targeting the t parameter on the modcp.php path.
- Correlate authenticated moderator session activity with anomalous query volume or response sizes in the database tier.
- Enable verbose database query logging during incident investigations and search for queries referencing moderator endpoints with concatenated user input.
Monitoring Recommendations
- Forward web server, application, and database logs to a centralized analytics platform and alert on SQL injection patterns against modcp.php.
- Track per-account request rates to the moderator control panel and flag deviations from baseline behavior.
- Monitor moderator account login geolocation and user-agent changes to identify potential account compromise that could precede exploitation.
How to Mitigate CVE-2025-64519
Immediate Actions Required
- Upgrade TorrentPier to a version that includes commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80 or later.
- Audit the moderator role membership and revoke privileges from accounts that no longer require them.
- Force password resets and enable multi-factor authentication for all remaining moderator accounts.
- Review database and application logs for prior exploitation against the modcp.php endpoint.
Patch Information
The maintainers fixed the vulnerability in commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80, which addresses the unsafe handling of the topic_id parameter in modcp.php. Administrators should deploy the fixed build referenced in the GitHub Security Advisory GHSA-4rwr-8c3m-55f6.
Workarounds
- Restrict access to modcp.php at the web server or reverse proxy layer to a small set of trusted IP addresses until the patch is applied.
- Deploy WAF rules that block requests containing SQL metacharacters in the t parameter for the moderator control panel route.
- Apply the principle of least privilege to the database account used by TorrentPier so it cannot modify schema objects or read tables outside the application scope.
# Example nginx restriction limiting modcp.php access to an admin VPN range
location = /modcp.php {
allow 10.10.0.0/24; # admin VPN
deny all;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php-fpm.sock;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

