CVE-2026-4851: GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization

CVE-2026-4851: GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization Timothy Legge 29 Mar 2026 00:24 UTC

========================================================================
CVE-2026-4851                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-4851
   Distribution:  GRID-Machine
       Versions:  through 0.127

       MetaCPAN:  https://metacpan.org/dist/GRID-Machine

GRID::Machine versions through 0.127 for Perl allows arbitrary code
execution via unsafe deserialization

Description
-----------
GRID::Machine versions through 0.127 for Perl allows arbitrary code
execution via unsafe deserialization.

GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl.
The client connects to remote hosts to execute code on them. A
compromised or malicious remote host can execute arbitrary code back on
the client through unsafe deserialization in the RPC protocol.

read_operation() in lib/GRID/Machine/Message.pm deserialises values
from the remote side using eval()

   $arg .= '$VAR1';
   my $val = eval "no strict; $arg"; # line 40-41

$arg is raw bytes from the protocol pipe. A compromised remote host can
embed arbitrary perl in the Dumper-formatted response:

   $VAR1 = do { system("..."); };

This executes on the client silently on every RPC call, as the return
values remain correct.

This functionality is by design but the trust requirement for the
remote host is not documented in the distribution.

Problem types
-------------
- CWE-502 Deserialization of Untrusted Data
- CWE-95 Improper Neutralization of Directives in Dynamically Evaluated
   Code ('Eval Injection')

Workarounds
-----------
There is no fix available. If used, only connect to trusted remote
hosts.

References
----------
https://www.openwall.com/lists/oss-security/2026/03/26/6

Timeline
--------
- 2026-03-24: Vulnerability reported to module author and CPANSec
- 2026-03-25: CVE assigned by CPANSec
- 2026-03-26: Author confirmed module is unmaintained, no fix available
- 2026-03-26: Disclosed on oss-security mailing list

Credits
-------
Pied Crow xxxxxx@cpan.org, finder