TorrentPier Deserialization of Untrusted Data vulnerability — CVE-2024-40624
GitHub · GitHub · CVE-2024-40624
ID
CVE-2024-40624
CVE-2024-40624
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.3
9.3
EPSS
0.00191
0.00191
Summary
### Summary In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies: https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60 ### PoC One can use [`phpggc`](https://github.com/ambionics/phpggc/) and the chain `Guzzle/FW1` to write PHP code to an…
Product
composer: torrentpier/torrentpier
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.