Thread Index - April 2025 - CPANSec CVE announcements

CVE-2025-30672: Mite for Perl generates code with an untrusted search path vulnerability Stig Palmquist (01 Apr 2025 01:55 UTC)
CVE-2025-30673: Sub::HandlesVia for Perl allows untrusted code to be included from the current working directory Timothy Legge (01 Apr 2025 02:13 UTC)
CVE-2025-3051: Linux::Statm::Tiny for Perl allows untrusted code to be included from the current working directory Stig Palmquist (01 Apr 2025 02:23 UTC)
CVE-2025-1805: Crypt::Salt for Perl uses insecure rand() function when generating salts for cryptographic purposes Stig Palmquist (02 Apr 2025 12:57 UTC)
CVE-2024-57868: Web::API 2.8 and earlier for Perl uses insecure rand() function for cryptographic functions Timothy Legge (05 Apr 2025 15:39 UTC)
CVE-2024-58036: Net::Dropbox::API 1.9 and earlier for Perl uses insecure rand() function for cryptographic functions Timothy Legge (05 Apr 2025 16:08 UTC)
CVE-2024-57835: Amon2::Auth::Site::LINE versions through 0.04 for Perl uses insecure rand() function for cryptographic functions Timothy Legge (05 Apr 2025 18:22 UTC)
CVE-2024-52322: WebService::Xero 0.11 for Perl uses insecure rand() function for cryptographic functions Timothy Legge (05 Apr 2025 18:23 UTC)
CVE-2024-56370: Net::Xero 0.044 and earlier for Perl uses insecure rand() function for cryptographic functions Timothy Legge (05 Apr 2025 18:27 UTC)
CVE-2025-2814: Crypt::CBC versions between 1.21 and 3.04 for Perl may use insecure rand() function for cryptographic functions Timothy Legge (12 Apr 2025 23:46 UTC)
CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Stig Palmquist (13 Apr 2025 13:18 UTC)