CVE-2025-64519: 
PHP vulnerability analysis and mitigation

TorrentPier, an open source BitTorrent Public/Private tracker engine written in PHP, contains an authenticated SQL injection vulnerability (CVE-2025-64519) in versions up to and including 2.8.8. The vulnerability exists in the moderator control panel (modcp.php) where users with moderator permissions can exploit the topic_id (t) parameter. The vulnerability was disclosed on November 10, 2025, and a patch is available in commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80 (GitHub Commit, GitHub Advisory).

The vulnerability is triggered when modcp.php processes a request containing the topicid parameter. The $topicid variable is directly embedded into an SQL query without proper sanitization or parameterization. The vulnerable code block in modcp.php constructs an SQL query using direct string concatenation: WHERE t.topic_id = $topic_id. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

Despite requiring moderator privileges, the vulnerability's impact is severe. A malicious or compromised moderator account can execute arbitrary SQL queries leading to: 1) Reading sensitive data including user credentials, private messages, and email addresses, 2) Modifying database records such as elevating privileges to administrator level, and 3) Corrupting or destroying forum data by dropping tables or deleting records (GitHub Advisory).

A patch has been released that fixes the vulnerability by properly casting the topicid parameter to an integer: `$topicid = isset($REQUEST[POSTTOPICURL]) ? (int)$REQUEST[POSTTOPICURL] : 0`. Users should upgrade to a version containing the fix from commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80 (GitHub Commit).