CVE-2026-49942

Net::CIDR::Set versions through 0.20 for Perl did not validate network masks

CVSS 7.3 HIGHEPSS 0.3%CWE-1289

In short

Net::CIDR::Set, a Perl library for managing network ranges, accepted invalid network masks using Unicode digits and leading zeros, allowing it to incorrectly interpret which networks should be allowed. This could cause security policies that restrict network access to fail silently.

Technical detail

Net::CIDR::Set versions ≤0.20 fail to validate network mask notation, accepting Unicode digit characters (e.g., Arabic-Indic digits U+0661) and non-digit characters that are silently ignored, as well as treating leading zeros as decimal rather than octal. An attacker can craft malformed CIDR masks that bypass intended network access controls or cause unexpected network range interpretations in security policies relying on this library.

Summary generated and translated by AI from the official description.

Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products

RRWO · Net::CIDR::Set

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes https://nvd.nist.gov/vuln/detail/CVE-2025-40911 https://nvd.nist.gov/vuln/detail/CVE-2026-45191