Description
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date.

_dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die.

The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.
Published: 2026-05-27
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when IO::Uncompress::Unzip encounters a malformed DOS date field in the local file header of a zip archive. The internal dosToUnixTime function decodes this field and calls Time::Local::timelocal() without protection. If the decoded month, day, or hour exceed valid ranges, timelocal() dies, and the exception propagates to the caller. This uncaught exception causes the application to terminate unexpectedly, yielding a denial of service. The weakness falls under CWE‑248, Uncaught Exception.

Affected Systems

Perl CPAN module IO::Uncompress::Unzip provided by PMQS is affected in all releases before version 2.215. Applications that depend on this module and parse zip files may be impacted.

Risk and Exploitability

An attacker who can supply a crafted zip file to an affected program can trigger the exception. The lack of input validation for the DOS date field makes the flaw readily exploitable. Because the vulnerability results in a crash rather than code execution, the risk is high for availability but low for confidentiality and integrity. No EPSS score is available and the issue is not listed in CISA KEV, but its impact on application uptime warrants immediate attention.

Generated by OpenCVE AI on May 27, 2026 at 04:23 UTC.

Remediation

Vendor Solution

Upgrade to IO-Compress 2.215 or later.

OpenCVE Recommended Actions

  • Upgrade the IO-Compress distribution to version 2.215 or later.
  • Modify any code that creates an IO::Uncompress::Unzip object to bracket the call with exception handling, such as eval or Rescue, and treat a failure as a non‑fatal error.
  • Validate incoming zip files before passing them to IO::Uncompress::Unzip or use a higher‑level wrapper that sanitizes DOS date fields.

Generated by OpenCVE AI on May 27, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Pmqs
Pmqs io::uncompress::unzip
Vendors & Products Pmqs
Pmqs io::uncompress::unzip

Wed, 27 May 2026 08:30:00 +0000

Type Values Removed Values Added
References

Wed, 27 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.
Title IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date
Weaknesses CWE-248
References

Subscriptions

Pmqs Io::uncompress::unzip
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-27T07:24:54.753Z

Reserved: 2026-05-26T18:17:10.655Z

Link: CVE-2025-15649

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-27T04:16:23.873

Modified: 2026-05-27T19:38:33.270

Link: CVE-2025-15649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:08:02Z

Weaknesses