Thread Index - May 2025 - CPANSec CVE announcements

CVE-2024-58135: Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets Breno Oliveira (03 May 2025 10:16 UTC)
CVE-2024-58134: Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default Breno Oliveira (03 May 2025 16:13 UTC)
CVE-2025-40907: FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library Stig Palmquist (16 May 2025 13:07 UTC)
CVE-2025-40906: BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities Stig Palmquist (16 May 2025 15:19 UTC)
CVE-2025-40911: Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses Stig Palmquist (27 May 2025 21:21 UTC)
CVE-2020-36846: IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library Timothy Legge (30 May 2025 00:53 UTC)
CVE-2025-40909: Perl threads have a working directory race condition where file operations may target unintended paths Stig Palmquist (30 May 2025 12:24 UTC)