CVE-2025-40913: Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow

CVE-2025-40913: Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow Robert Rothenberg 16 Jul 2025 14:08 UTC

========================================================================
CVE-2025-40913                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-40913
   Distribution:  Net-Dropbear
       Versions:  from 0.01 through 0.16

       MetaCPAN:  https://metacpan.org/dist/Net-Dropbear
       VCS Repo:  https://github.com/atrodo/Net-Dropbear

Net::Dropbear versions through 0.16 for Perl contains a dependency that
may be susceptible to an integer overflow

Description
-----------
Net::Dropbear versions through 0.16 for Perl contains a dependency that
may be susceptible to an integer overflow.

Net::Dropbear embeds a version of the libtommath library that is
susceptible to an integer overflow associated with CVE-2023-36328.

Problem types
-------------
- CWE-1395 Dependency on Vulnerable Third-Party Component

References
----------
https://www.cve.org/CVERecord?id=CVE-2023-36328
https://github.com/libtom/libtommath/pull/546
https://github.com/advisories/GHSA-j3xv-6967-cv88
https://metacpan.org/release/ATRODO/Net-Dropbear-0.16/source/dropbear/libtommath/bn_mp_grow.c