CVE-2026-49940: Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks

CVE-2026-49940: Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks Robert Rothenberg 04 Jun 2026 16:09 UTC

========================================================================
CVE-2026-49940                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-49940
   Distribution:  Net-CIDR-Set
       Versions:  through 0.20

       MetaCPAN:  https://metacpan.org/dist/Net-CIDR-Set
       VCS Repo:  https://github.com/robrwo/perl-Net-CIDR-Set

Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP
addresses and netmasks

Description
-----------
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP
addresses and netmasks.

Unicode digits such as the Arabic-Indic One (U+0661) were accepted but
not properly parsed as numbers.  This could allow network masks to
accept larger networks.

Problem types
-------------
- CWE-1289 Improper Validation of Unsafe Equivalence in Input

Solutions
---------
Upgrade to version 0.21.

References
----------
https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes
https://nvd.nist.gov/vuln/detail/CVE-2025-40911

Timeline
--------
- 2026-05-13: Issue reported to CPANSec
- 2026-06-02: Net::CIDR::Set version 0.21 released with fix