CVE-2025-3051: Linux::Statm::Tiny for Perl allows untrusted code to be included from the current working directory
Stig Palmquist 01 Apr 2025 02:22 UTC
========================================================================
CVE-2025-3051 CPAN Security Group
========================================================================
CVE ID: CVE-2025-3051
Distribution: Linux-Statm-Tiny
Versions: before 0.0701
MetaCPAN: https://metacpan.org/dist/Linux-Statm-Tiny
VCS Repo: https://github.com/robrwo/Linux-Statm-Tiny
Linux::Statm::Tiny for Perl allows untrusted code to be included from
the current working directory
Description
-----------
Linux::Statm::Tiny for Perl before 0.0701 allows untrusted code from
the current working directory ('.') to be loaded similar to
CVE-2016-1238.
If an attacker can place a malicious file in current working directory,
it may be loaded instead of the intended file, potentially leading to
arbitrary code execution.
Linux::Statm::Tiny uses Mite to produce the affected code section due
to CVE-2025-30672
Problem types
-------------
CWE-427 Uncontrolled Search Path Element
Impacts
-------
CAPEC-38 Leveraging/Manipulating Configuration File Search Paths
Mitigations
-----------
Version 0.0701 of Linux::Statm::Tiny was released to address the issue.
Users should update to the latest version.
References
----------
https://metacpan.org/release/RRWO/Linux-Statm-Tiny-0.0701/changes
https://metacpan.org/release/RRWO/Linux-Statm-Tiny-0.0700/source/lib/Linux/Statm/Tiny/Mite.pm#L82
https://blogs.perl.org/users/todd_rinaldo/2016/11/what-happened-to-dot-in-inc.html
