As of 2024, no major torrent client implements full plugin sandboxing (e.g., Wasm capabilities or seccomp). Treat any third-party plugin as a potential remote code execution vector. Appendix A: Sample Deluge plugin skeleton (available on request) Appendix B: Comparison of RPC API response times (DelugeRPC vs qBittorrent REST) Appendix C: Docker security profiles for torrent clients with plugins
Arbitrary Python code execution. Any installed plugin has full filesystem access and network privileges of the daemon user. 3.2 qBittorrent Search Plugins (Python 3) qBittorrent replaced internal plugins with search engine plugins – Python modules implementing a specific interface:
