qBittorrent has addressed a remote code execution flaw caused by the failure to validate SSL/TLS certificates in the application’s Download Manager, a component that manages downloads throughout the app.
The flaw, introduced in a commit on April 6, 2010, was eventually fixed in the latest release, version 5.0.1, on October 28, 2024, more than 14 years later.
The core issue is that since 2010, qBittorrent accepted any certificate, including forged/illegitimate, enabling attackers in a man-in-the-middle position to modify network traffic.
“In qBittorrent, the DownloadManager class has ignored every SSL certificate validation error that has ever happened, on every platform, for 14 years and 6 months since April 6 2010 with commit 9824d86,” explains the security researcher.
"The default behaviour changed to verifying on October 12 2024 with commit 3d9e971. The first patched release is version 5.0.1, released in October 28th, 2024.
The latest version of qBittorrent, 5.0.1, has addressed the above risks, so users are recommended to upgrade as soon as possible.
Source here.