CVE-2025-40911
Publication date 27 May 2025
Last updated 30 May 2025
Ubuntu priority
Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libnet-cidr-set-perl | 25.04 plucky |
Needs evaluation
|
| 24.10 oracular |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-40911
- https://lists.security.metacpan.org/cve-announce/msg/29942240/
- https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
- https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a.patch
- https://metacpan.org/release/RRWO/Net-CIDR-Set-0.14/changes