CVE-2025-40914: Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow

CVE-2025-40914: Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow Robert Rothenberg 11 Jun 2025 14:07 UTC

========================================================================
CVE-2025-40914                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-40914
   Distribution:  CryptX
       Versions:  from 0.002 through 0.086

       MetaCPAN:  https://metacpan.org/dist/CryptX
       VCS Repo:  https://github.com/DCIT/perl-CryptX

Perl CryptX before version 0.087 contains a dependency that may be
susceptible to an integer overflow

Description
-----------
Perl CryptX before version 0.087 contains a dependency that may be
susceptible to an integer overflow.

CryptX embeds a version of the libtommath library that is susceptible
to an integer overflow associated with CVE-2023-36328.

Problem types
-------------
- CWE-1395 Dependency on Vulnerable Third-Party Component

Solutions
---------
Users should update to version 0.087 or later

References
----------
https://www.cve.org/CVERecord?id=CVE-2023-36328
https://github.com/libtom/libtommath/pull/546
https://github.com/advisories/GHSA-j3xv-6967-cv88
https://metacpan.org/release/MIK/CryptX-0.086/source/src/ltm/bn_mp_grow.c