Security Advisories (1)

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

NAME

FIXME - short description of the security issue, with an identifier of the issue as the manpage name

DESCRIPTION

This document describes the FIXME security vulnerability for perl 5.

Are there any known exploits "in the wild" for this vulnerability

FIXME or delete

Who is particularly vulnerable because of this issue?

FIXME or delete

What is the nature of the vulnerability?

FIXME

What potential exploits are enabled by this vulnerability?

FIXME or delete

Which major versions of perl 5 are affected?

FIXME with a list of versions that are affected, and which were updated.

How can users protect themselves?

FIXME or use the following:

If you are vulnerable, upgrade to the latest maintenance release for the version of perl you are using.

If your release of perl is no longer supported by the perl 5 committers you may need to upgrade to a new major release of perl. The versions currently supported by the perl 5 committers are FIXME 5.28.2 (until 2020-05-31) and FIXME 5.30.1 (until 2021-05-31). The current version of perl is available from https://www.perl.org/get.html .

Who was given access to the information about the vulnerability?

FIXME or use the following:

Specifics about the vulnerability were first disclosed to perl-security, a closed subscriber mailing list that has a subset of the perl committers subcribed to it.

When was the vulnerability discovered?

FIXME

Who discovered the vulnerability?

FIXME

How was the vulnerability reported?

FIXME: something like "So-and-so sent email to perl-security@perl.org"

To install less, copy and paste the appropriate command in to your terminal.

cpanm

cpanm less

CPAN shell

perl -MCPAN -e shell
install less

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

DESCRIPTION

Are there any known exploits "in the wild" for this vulnerability

Who is particularly vulnerable because of this issue?

What is the nature of the vulnerability?

What potential exploits are enabled by this vulnerability?

Which major versions of perl 5 are affected?

How can users protect themselves?

Who was given access to the information about the vulnerability?

When was the vulnerability discovered?

Who discovered the vulnerability?

How was the vulnerability reported?

Module Install Instructions