CVE-2025-40911

MEDIUM

Net::CIDR::Set <0.14 - Info Disclosure

Title source: llm

Description

Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.

References (3)

[Patch] https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a.patch

[Various Sources] https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/

[Release Notes] https://metacpan.org/release/RRWO/Net-CIDR-Set-0.14/changes

Scores

CVSS v3 6.5

EPSS 0.0026

EPSS Percentile 49.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1287

Status published

Products (1)

RRWO/Net::CIDR::Set 0.10 - 0.13

Published May 27, 2025

Tracked Since Feb 18, 2026