CPANSA-Mite-2025-30672: Mite vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2025-04-01T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
| Current release date | 2025-04-01T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 6.5 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
Mite for Perl before 0.013000 generates code with the current working directory ('.') added to the @INC path similar to CVE-2016-1238. If an attacker can place a malicious file in current working directory, it may be loaded instead of the intended file, potentially leading to arbitrary code execution. This affects the Mite distribution itself, and other distributions that contain code generated by Mite.
Vulnerabilities
CVE-2025-30672
Vulnerability DescriptionMite for Perl before 0.013000 generates code with the current working directory ('.') added to the @INC path similar to CVE-2016-1238.
If an attacker can place a malicious file in current working directory, it may be
loaded instead of the intended file, potentially leading to arbitrary
code execution.
This affects the Mite distribution itself, and other distributions that contain code generated by Mite.
| Weakness | CWE-427 : Uncontrolled Search Path Element |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Mite less than 0.013000 |
|
Fixed
- Mite greater than or equal 0.013000
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Mite-2025-30672 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2025/cpansa-mite-2025-30672.json - https://blogs.perl.org/users/todd_rinaldo/2016/11/what-happened-to-dot-in-inc.html external
https://blogs.perl.org/users/todd_rinaldo/2016/11/what-happened-to-dot-in-inc.html - https://metacpan.org/release/TOBYINK/Mite-0.013000/changes external
https://metacpan.org/release/TOBYINK/Mite-0.013000/changes - https://perldoc.perl.org/perlrun#PERL_USE_UNSAFE_INC external
https://perldoc.perl.org/perlrun#PERL_USE_UNSAFE_INC - https://wiki.gentoo.org/wiki/Project:Perl/Dot-In-INC-Removal external
https://wiki.gentoo.org/wiki/Project:Perl/Dot-In-INC-Removal - CVE-2025-30672 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2025-30672
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Tue Apr 1 00:00:00 2025 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/