CVE-2025-40910: Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses

CVE-2025-40910: Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses Robert Rothenberg 27 Jun 2025 12:30 UTC

========================================================================
CVE-2025-40910                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-40910
   Distribution:  Net-IP-LPM
       Versions:  1.10

       MetaCPAN:  https://metacpan.org/dist/Net-IP-LPM

Net::IP::LPM version 1.10 for Perl does not properly consider leading
zero characters in IP CIDR address strings, which could allow attackers
to bypass access control that is based on IP addresses

Description
-----------
Net::IP::LPM version 1.10 for Perl does not properly consider leading
zero characters in IP CIDR address strings, which could allow attackers
to bypass access control that is based on IP addresses.

Leading zeros are used to indicate octal numbers, which can confuse
users who are intentionally using octal notation, as well as users who
believe they are using decimal notation.

Problem types
-------------
- CWE-1287 Improper Validation of Specified Type of Input

References
----------
https://metacpan.org/release/TPODER/Net-IP-LPM-1.10/diff/TPODER/Net-IP-LPM-1.09/lib/Net/IP/LPM.pm
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
https://security.metacpan.org/patches/N/Net-IP-LPM/1.10/CVE-2025-40910-r1.patch