CVE-2025-40911
Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses
In short
The Net::CIDR::Set Perl library versions 0.10-0.13 don't correctly handle IP addresses with leading zeros, allowing attackers to bypass IP-based access controls by entering addresses in octal notation that the system doesn't recognize as blocked.
Technical detail
Net::CIDR::Set fails to normalize IP addresses containing leading zeros before matching against CIDR block rules, enabling an attacker to craft octal-formatted IP addresses that bypass IP-based access control lists. The vulnerability affects versions 0.10 through 0.13 and stems from improper handling of octal notation in IP string parsing, similar to CVE-2021-47154 in Net::CIDR::Lite.
Summary generated and translated by AI from the official description.
Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses.
Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation.
Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
RRWO · Net::CIDR::SetWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →