Perl Perl

Do you want an email whenever new security vulnerabilities are reported in Perl?

By the Year

In 2024 there have been 0 vulnerabilities in Perl . Last year Perl had 4 security vulnerabilities published. Right now, Perl is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 4 8.95
2022 0 0.00
2021 0 0.00
2020 3 8.10
2019 0 0.00
2018 8 9.14

It may take a day or so for new Perl vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Perl Security Vulnerabilities

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{

CVE-2023-47100 9.8 - Critical - December 02, 2023

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

Improper Handling of Exceptional Conditions

In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash

CVE-2022-48522 9.8 - Critical - August 22, 2023

In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.

Memory Corruption

HTTP::Tiny before 0.083

CVE-2023-31486 8.1 - High - April 29, 2023

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

Improper Certificate Validation

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

CVE-2023-31484 8.1 - High - April 29, 2023

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Improper Certificate Validation

regcomp.c in Perl before 5.30.3

CVE-2020-12723 7.5 - High - June 05, 2020

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

Classic Buffer Overflow

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation

CVE-2020-10878 8.6 - High - June 05, 2020

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

Integer Overflow or Wraparound

Perl before 5.30.3 on 32-bit platforms

CVE-2020-10543 8.2 - High - June 05, 2020

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

Memory Corruption

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression

CVE-2018-18311 9.8 - Critical - December 07, 2018

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

Memory Corruption

Perl before 5.26.3 has a buffer over-read via a crafted regular expression

CVE-2018-18313 9.1 - Critical - December 07, 2018

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

Out-of-bounds Read

Perl before 5.26.3 has a buffer overflow via a crafted regular expression

CVE-2018-18314 9.8 - Critical - December 07, 2018

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

Buffer Overflow

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression

CVE-2018-18312 9.8 - Critical - December 05, 2018

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

Buffer Overflow

In Perl through 5.26.2, the Archive::Tar module

CVE-2018-12015 7.5 - High - June 07, 2018

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.

insecure temporary file

An issue was discovered in Perl 5.18 through 5.26

CVE-2018-6797 9.8 - Critical - April 17, 2018

An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.

Memory Corruption

An issue was discovered in Perl 5.22 through 5.26

CVE-2018-6798 7.5 - High - April 17, 2018

An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.

Out-of-bounds Read

Heap-based buffer overflow in the pack function in Perl before 5.26.2

CVE-2018-6913 9.8 - Critical - April 17, 2018

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

Memory Corruption

Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1

CVE-2017-12837 7.5 - High - September 19, 2017

Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier.

Buffer Overflow

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1

CVE-2017-12883 9.1 - Critical - September 19, 2017

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape.

Buffer Overflow

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22

CVE-2015-8608 9.8 - Critical - February 07, 2017

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

Out-of-bounds Read

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might

CVE-2016-6185 7.8 - High - August 02, 2016

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.

(1) cpan/Archive-Tar/bin/ptar

CVE-2016-1238 7.8 - High - August 02, 2016

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

Permissions, Privileges, and Access Controls

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process

CVE-2016-2381 7.5 - High - April 08, 2016

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

Improper Input Validation

Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might

CVE-2011-2939 - January 13, 2012

Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow.

Numeric Errors

Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which

CVE-1999-1386 5.5 - Medium - December 31, 1999

Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.

insecure temporary file

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Perl or by Perl? Click the Watch button to subscribe.

Perl
Vendor

Perl
Product

subscribe