CVE-2026-49941
Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses
In short
Net::CIDR::Set Perl library versions up to 0.20 don't properly check if IP addresses are valid before processing them. An attacker can send malformed IP addresses that cause the program to get stuck in an infinite loop, crashing the application.
Technical detail
The add method in Net::CIDR::Set through 0.20 lacks input validation on IP addresses; malformed inputs that don't match netmask or range patterns are recursively passed to _encode as 32-bit or 128-bit netmasks, triggering indefinite recursion and denial of service. Attack vector is direct method invocation with crafted IP strings; no authentication required.
Summary generated and translated by AI from the official description.
Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.
The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.
If the argument was not a well-formed IP address, then this would lead to indefinite recursion.
An attacker could use this to cause a denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
RRWO · Net::CIDR::SetWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →