CVE-2025-40911: Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses
Stig Palmquist 27 May 2025 21:20 UTC
========================================================================
CVE-2025-40911 CPAN Security Group
========================================================================
CVE ID: CVE-2025-40911
Distribution: Net-CIDR-Set
Versions: from 0.10 through 0.13
MetaCPAN: https://metacpan.org/dist/Net-CIDR-Set
VCS Repo: https://github.com/robrwo/perl-Net-CIDR-Set
Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly
consider leading zero characters in IP CIDR address strings, which
could allow attackers to bypass access control that is based on IP
addresses
Description
-----------
Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly
handle leading zero characters in IP CIDR address strings, which could
allow attackers to bypass access control that is based on IP addresses.
Leading zeros are used to indicate octal numbers, which can confuse
users who are intentionally using octal notation, as well as users who
believe they are using decimal notation.
Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar
vulnerability CVE-2021-47154.
Problem types
-------------
CWE-1287 Improper Validation of Specified Type of Input
Solutions
---------
Update to version 0.14, or apply the patch provided by the module
author.
References
----------
https://metacpan.org/release/RRWO/Net-CIDR-Set-0.14/changes
https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a.patch
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
