CVE-2026-45190
Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass
In short
Net::CIDR::Lite Perl library before version 0.24 doesn't properly validate IP addresses and CIDR masks, allowing attackers to bypass IP access control lists (ACLs) by using malformed inputs like trailing newlines or invalid characters that get misinterpreted differently than intended.
Technical detail
The vulnerability stems from insufficient input validation in Net::CIDR::Lite where inputs with trailing newlines or non-ASCII characters pass validation but are re-encoded to different addresses during parsing, causing find() and bin_find() methods to incorrectly match or miss IP addresses. An attacker can craft malformed CIDR entries to bypass network-based IP ACLs that rely on this library.
Summary generated and translated by AI from the official description.
Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass.
Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result.
Example:
my $cidr = Net::CIDR::Lite->new();
$cidr->add("::1\n/128");
$cidr->find("::1a"); # incorrectly returns true
See also CVE-2026-45191.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Affected products
STIGTSP · Net::CIDR::LiteWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →