CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-40911: Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow...

Description

Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses.

Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation.

Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.

Classification

CVE ID: CVE-2025-40911

Problem Types

CWE-1287 Improper Validation of Specified Type of Input

Affected Products

Vendor: RRWO

Product: Net::CIDR::Set

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 14.66% (scored less or equal to compared to others)

EPSS Date: 2025-06-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-40911
https://metacpan.org/release/RRWO/Net-CIDR-Set-0.14/changes
https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a.patch
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/

Timeline

2025-05-27 22:40:14 UTC
CVE

Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow...