CVE-2026-48962: IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

CVE-2026-48962: IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob Stig Palmquist 27 May 2026 03:16 UTC

========================================================================
CVE-2026-48962                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-48962
  Distribution:  IO-Compress
      Versions:  before 2.220

      MetaCPAN:  https://metacpan.org/dist/IO-Compress
      VCS Repo:  https://github.com/pmqs/IO-Compress

IO::Compress versions before 2.220 for Perl can execute arbitrary code
in File::GlobMapper via an attacker-controlled output glob

Description
-----------
IO::Compress versions before 2.220 for Perl can execute arbitrary code
in File::GlobMapper via an attacker-controlled output glob.

_parseOutputGlob() wraps the caller-supplied output glob string in
double quotes and stores it in the parser state; _getFiles() then runs
the stored expression through eval STRING. A literal double quote in
the output glob closes the dquote wrapper, and the characters that
follow are evaluated as Perl.

Arbitrary Perl in the output glob executes at the calling process's
privilege.

Problem types
-------------
- CWE-95 Improper Neutralization of Directives in Dynamically Evaluated
  Code ('Eval Injection')

Solutions
---------
Upgrade to IO-Compress 2.220 or later.

References
----------
https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch
https://metacpan.org/release/PMQS/IO-Compress-2.220/changes

Timeline
--------
- 2026-05-14: Issue reported.
- 2026-05-16: Version 2.220 released.