CVE-2025-30673: Sub::HandlesVia for Perl allows untrusted code to be included from the current working directory
Timothy Legge 01 Apr 2025 02:12 UTC
========================================================================
CVE-2025-30673 CPAN Security Group
========================================================================
CVE ID: CVE-2025-30673
Distribution: Sub-HandlesVia
Versions: before 0.050002
MetaCPAN: https://metacpan.org/dist/Sub-HandlesVia
VCS Repo: https://github.com/tobyink/p5-sub-handlesvia
Sub::HandlesVia for Perl allows untrusted code to be included from the
current working directory
Description
-----------
Sub::HandlesVia for Perl before 0.050002 allows untrusted code from the
current working directory ('.') to be loaded similar to CVE-2016-1238.
If an attacker can place a malicious file in current working directory,
it may be loaded instead of the intended file, potentially leading to
arbitrary code execution.
Sub::HandlesVia uses Mite to produce the affected code section due
to CVE-2025-30672
Problem types
-------------
CWE-427 Uncontrolled Search Path Element
Impacts
-------
CAPEC-38 Leveraging/Manipulating Configuration File Search Paths
Mitigations
-----------
Version 0.050002 of Sub::HandlesVia was released to address the issue.
Users should update to the latest version.
References
----------
https://metacpan.org/dist/Sub-HandlesVia/changes#L12
https://metacpan.org/release/TOBYINK/Sub-HandlesVia-0.050001/source/lib/Sub/HandlesVia/Mite.pm#L114
https://blogs.perl.org/users/todd_rinaldo/2016/11/what-happened-to-dot-in-inc.html
