Impact
DBI versions released before 1.650 for Perl contain a code injection flaw. When a caller supplies a string to the DBI handle’s Profile attribute, the library splits the string, extracts a package name, and evaluates that name with no validation. This allows an attacker to inject arbitrary Perl code that can invoke system commands. The consequence is full compromise of the host process, exposing confidentiality, integrity, and availability of the affected system.
Affected Systems
The vulnerability affects the DBI library provided by HMBRAND, in all releases prior to 1.650. It can be triggered from any source that populates the Profile attribute, including the environment variable DBI_PROFILE, direct attribute assignments in code, or the DSN driver‑attribute clause dbi:Driver(Profile=>SPEC):db. Systems that use DBI without restricting these inputs are at risk.
Risk and Exploitability
The flaw delivers remote code execution, which is the highest tier of impact. Although the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the absence of a mitigated patch and the presence of a direct eval path suggest a high likelihood of exploitation wherever an attacker can influence one of the three Profile inputs. A network exposed DBI::Gofer or DBI::ProxyServer is the strongest remote surface, as a client can craft a per‑request DSN that reaches the Profile attribute and run code on the broker host. The attack vector is inferred to be remote exploitation via untrusted DSN data or local injection through environment variables or code paths that assign to Profile.
OpenCVE Enrichment