CVE-2026-60081: DBI::ProfileData versions before 1.651 for Perl do not limit the path index Robert Rothenberg 14 Jul 2026 15:39 UTC

========================================================================
CVE-2026-60081                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-60081
   Distribution:  DBI
       Versions:  before 1.651

       MetaCPAN:  https://metacpan.org/dist/DBI
       VCS Repo:  https://github.com/perl5-dbi/dbi

DBI::ProfileData versions before 1.651 for Perl do not limit the path
index

Description
-----------
DBI::ProfileData versions before 1.651 for Perl do not limit the path
index.

The path index column of profile dump files is used to allocate an
array of data for the parser. An unbounded value allows an attacker to
specify a large index and consume available memory.

Problem types
-------------
- CWE-770 Allocation of Resources Without Limits or Throttling

Solutions
---------
Upgrade to version 1.651 or later.

References
----------
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-ww49-w4mv-jrr4
https://metacpan.org/release/HMBRAND/DBI-1.651/changes
https://github.com/perl5-dbi/dbi/commit/6764e755e83ee1ebb1b40760e5b53eb50960bd7a.patch