Net::CIDR::Lite versions older than 0.24 fail to strip or otherwise handle arbitrary leading zeros in CIDR mask values. Mask forms such as "/00" or "/01" are accepted by the parser and are interpreted as having the same prefix length as their unpadded counterparts. This flaw permits an attacker to supply an IP address with a CIDR mask containing leading zeros that is treated as a valid, shorter prefix, effectively expanding a blocked range to a wider one and allowing traffic that should be blocked to pass through. The flaw is an input validation issue (CWE‑1289).

Vendor STIGTSP – Net::CIDR::Lite, affected releases are all versions prior to 0.24 for Perl (0.23 and earlier).

The vulnerability can be exploited by any software that imports and uses Net::CIDR::Lite to enforce IP-based access control. An attacker who can influence the arguments passed to the module—such as by supplying a crafted CIDR block through a network service, configuration file or user input—can create a prefix that appears to match a forbidden address range but actually covers a broader set of IPs. Because the module is a pure Perl library, the attack can be carried out remotely over any interface that accepts IP or CIDR values, or locally by modifying configuration files. No EPSS score was reported and the vulnerability is not listed in the CISA KEV catalogue, but the impact of bypassing network ACLs is significant, so the risk is considered high to critical when the application relies heavily on IP filtering.