CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name

CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name Timothy Legge 05 Jun 2025 12:00 UTC

========================================================================
CVE-2011-10007                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2011-10007
   Distribution:  File-Find-Rule
       Versions:  through 0.34

       MetaCPAN:  https://metacpan.org/dist/File-Find-Rule
       VCS Repo:  https://github.com/richardc/perl-file-find-rule

File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code
Execution when `grep()` encounters a crafted file name

Description
-----------
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code
Execution when `grep()` encounters a crafted filename.

A file handle is opened with the 2 argument form of `open()` allowing
an attacker controlled filename to provide the MODE parameter to
`open()`, turning the filename into a command to be executed.

Example:

$ mkdir /tmp/poc; echo > "/tmp/poc/|id"
$ perl -MFile::Find::Rule \
     -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")'
uid=1000(user) gid=1000(user) groups=1000(user),100(users)

Problem types
-------------
- CWE-78 Improper Neutralization of Special Elements used in an OS
   Command ('OS Command Injection')

Solutions
---------
Users should update to a fixed version when available, or apply the
patch provided in the references section, or use a patched version
provided by their OS distribution

References
----------
https://metacpan.org/release/RCLAMP/File-Find-Rule-0.34/source/lib/File/Find/Rule.pm#L423
https://rt.cpan.org/Public/Bug/Display.html?id=64504
https://github.com/richardc/perl-file-find-rule/pull/4
https://github.com/richardc/perl-file-find-rule/commit/df58128bcee4c1da78c34d7f3fe1357e575ad56f.patch

Timeline
--------
- 2011-01-04: A bug was reported by Kevin Ryde to the upstream RT
   bugtracker described as "grep() can truncate files".
- 2025-06-04: CPANSec became aware of the bug and started triage. Code
   execution impact was confirmed, a patch was made, and the author, the
   distros list and additional downstream vendors were notified.