CVE-2025-40913

Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow

CVSS 6.5 MEDIUMEPSS 0.3%CWE-1395

In short

Net::Dropbear, a Perl module for SSH connections, includes an outdated math library that has a bug where large numbers can cause unexpected behavior, potentially leading to crashes or security issues.

Technical detail

Net::Dropbear versions ≤0.16 bundle a vulnerable version of libtommath (CVE-2023-36328) susceptible to integer overflow. The vulnerability exists in the embedded cryptographic library used during SSH operations; exploitation requires processing specially crafted numerical values during key exchange or authentication, potentially resulting in denial of service or memory corruption.

Summary generated and translated by AI from the official description.

Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow. Net::Dropbear embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products

ATRODO · Net::Dropbear

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/advisories/GHSA-j3xv-6967-cv88 https://github.com/libtom/libtommath/pull/546 https://metacpan.org/release/ATRODO/Net-Dropbear-0.16/source/dropbear/libtommath/bn_mp_grow.c https://www.cve.org/CVERecord?id=CVE-2023-36328