CVE-2026-49941: Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses

CVE-2026-49941: Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses Robert Rothenberg 04 Jun 2026 16:10 UTC

========================================================================
CVE-2026-49941                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-49941
   Distribution:  Net-CIDR-Set
       Versions:  through 0.20

       MetaCPAN:  https://metacpan.org/dist/Net-CIDR-Set
       VCS Repo:  https://github.com/robrwo/perl-Net-CIDR-Set

Net::CIDR::Set versions through 0.20 for Perl did not validate IP
addresses

Description
-----------
Net::CIDR::Set versions through 0.20 for Perl did not validate IP
addresses.

The add method called the _encode method to parse addresses. If the
addresses did not look like netmasks or network ranges, then they were
assumed to single IP addresses and passed back to itself as a 32-bit or
128-bit netmask.

If the argument was not a well-formed IP address, then this would lead
to indefinite recursion.

An attacker could use this to cause a denial of service.

Problem types
-------------
- CWE-1287 Improper Validation of Specified Type of Input
- CWE-674 Uncontrolled Recursion

Solutions
---------
Upgrade to version 0.21 of later.

References
----------
https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes

Timeline
--------
- 2026-05-13: Issue reported to CPANSec
- 2026-06-02: Net::CIDR::Set version 0.21 released with fix