CVE-2025-40909: Perl threads have a working directory race condition where file operations may target unintended paths

Description

Perl threads have a working directory race condition where file operations may target unintended paths.

If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running.

This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit.

The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

Classification

CVE ID: CVE-2025-40909

Problem Types

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-426 Untrusted Search Path

Affected Products

Vendor: perl

Product: perl

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.02% (scored less or equal to compared to others)

EPSS Date: 2025-06-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-40909
https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch
https://www.openwall.com/lists/oss-security/2025/05/22/2
https://github.com/Perl/perl5/issues/23010
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226
https://github.com/Perl/perl5/issues/10387
https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads
https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e

Timeline

2025-05-30 13:40:21 UTC
CVE

Perl threads have a working directory race condition where file operations may target unintended paths