HTTP/RPC Security Vulnerabilities Resolved in uTorrent, BitTorrent and uTorrent Web

David Rees —  February 22, 2018 — 8 Comments

A fix for multiple vulnerabilities affecting all uTorrent, BitTorrent and uTorrent Web Windows users is now available for immediate download at the links below. We must stress that while this is a vulnerability that can be exploited to trigger unauthorized downloads to take place, BitTorrent Inc. is not aware of any incidents related to these vulnerabilities. As always, we highly encourage all of our customers to stay up to date. Android and Mac users are not affected by the reported vulnerabilities.

Download the latest builds:

uTorrent Stable
Bittorrent Stable
uTorrent Beta
uTorrent Web

The team began rolling out the update to beta uTorrent Windows users via the auto update mechanism on Feb 16, 2018. As of today, Feb 22, 2018, the rollout for beta users has concluded and the stable rollout has started. Included in the latest builds are fixes to the way uTorrent and uTorrent Web authenticate WebUI requests and generate session and authentication tokens. In addition to this, the updates clamp down on guest account access limits and enforce more checks on potentially malicious HTTP headers sent to the client.

Customers and developers of 3rd-party applications that rely on the default-open state of port 10000 should be aware that moving forward, clients will no longer be discoverable over port 10000. Pairing negotiation is now only allowed over a mutually agreed upon port. Customers can set this port manually by enabling WebUI functionality via Advanced->WebUI-> Enable Web UI and then specifying a port under the Connectivity section.


You can find the full changelog here:

uTorrent 3.5.3 For Windows (build 44358)

David Rees


Dave Rees is the VP of Engineering at BitTorrent.
  • mrjlturner

    Can you explain how this change would affect the WEBUI being NAT’d through a firewall? Mine used to work on a port above 10000, but no longer does. I changed to a lower port (below 10000) and it now works internally from other machines, but still doesn’t work through the firewall. Thx in advance!

  • Hi! I want to know if it’s safe µTorrent Server for Debian 7.0?
    3.3 (Source Revision 30470) / Peer ID UT330B

    If there is a needed urgent intervention for Linux, please make a fix aswell for this system! thanks. Also, please provide us a notice regarding Linux situation.


  • etazero

    for me webui is broke. “invalid request” and/or “abrupt end of stream” port is not 10000 and guest is not enabled. is there another way to protect the system? i.e. firewall white list or use the “only access from these IPs” field?

  • s1aver

    According to the google researcher who found the exploit this patch is ineffective. To quote him “It turns out that BitTorrent just made added an additional token to uTorrent Web, and was still vulnerable to the same attack…..Therefore, this issue is still exploitable. The vulnerability is now public”

    This is very troubling when will a more comprehensive patch be made available.

  • KewlRobD

    So between the complaints here and on the uTorrent troubleshooting forums it is obvious that the people at uTorrent have chosen to ignore that the update broke Webui for anyone using NAT.