CVE-2025-40909

EPSS 0.01%
Published 30.05.2025 12:20:11
Last modified 05.09.2025 14:15:44
Source 9b29abf9-4ab0-4765-b253-1875cd
Teams watchlist Login
Open Login

Perl threads have a working directory race condition where file operations may target unintended paths.

If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. 

This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit.

The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

Affected products Warnungen 0 Metrics 2 CWE 2 References 17

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Vendorperl

≫

Product perl

Default Statusunaffected

Version < 5.41.13

Version 5.13.6

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.01%	0.007

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.9	2.5	3.4	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-426 Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

CWE-689 Permission Race Condition During Resource Copy

The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.

https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch

https://www.openwall.com/lists/oss-security/2025/05/22/2

https://github.com/Perl/perl5/issues/23010

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226

https://github.com/Perl/perl5/issues/10387

https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads

https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e

http://www.openwall.com/lists/oss-security/2025/05/23/1

http://www.openwall.com/lists/oss-security/2025/05/30/4

http://www.openwall.com/lists/oss-security/2025/06/02/2

http://www.openwall.com/lists/oss-security/2025/06/02/5

http://www.openwall.com/lists/oss-security/2025/06/02/6