Description
GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.

GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.

read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()

$arg .= '$VAR1';
my $val = eval "no strict; $arg"; # line 40-41

$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:

$VAR1 = do { system("..."); };

This executes on the client silently on every RPC call, as the return values remain correct.

This functionality is by design but the trust requirement for the remote host is not documented in the distribution.
Published: 2026-03-29
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution on client via unsafe deserialization
Action: Restrict hosts
AI Analysis

Impact

GRID::Machine, a Perl library that provides remote procedure calls over SSH, deserializes data from the remote side using eval without strictness checks. The binary payload from the RPC protocol is concatenated into a string and evaluated, allowing an attacker who controls or compromises the remote host to inject arbitrary Perl code, such as system calls, that executes silently on the client. This results in full code execution on the client with the permissions of the running user, potentially compromising confidentiality, integrity, and availability of the client system.

Affected Systems

The vulnerability affects all releases of CASIANO’s GRID::Machine for Perl up to and including version 0.127. In these versions the RPC interface accepts responses from any remote host without authentication or validation, meaning that any machine the client trusts and connects to could trigger the payload.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is a critical remote code execution vulnerability. Although the EPSS score is below 1 per cent and the issue is not listed in the CISA KEV catalog, the lack of a patch means the attack surface remains open. In practice an attacker must possess or compromise a remote host that the client connects to via the RPC mechanism; once that condition is met, the expluatation path is straightforward through the unsafe eval. Until mitigation is applied the risk to all affected installations is high and the impact could be total system compromise.

Generated by OpenCVE AI on April 1, 2026 at 06:44 UTC.

Remediation

Vendor Workaround

There is no fix available. If used, only connect to trusted remote hosts.

OpenCVE Recommended Actions

  • Connect to remote hosts only if they are fully trusted, using explicit host whitelisting or firewall rules
  • Verify that all machines participating in RPC are free from compromise and regularly audited
  • If possible, isolate the client from untrusted networks or use a separate user context with limited privileges
  • Monitor network traffic for unexpected RPC calls and log any deserialization activity

Generated by OpenCVE AI on April 1, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Casiano grid\
CPEs cpe:2.3:a:casiano:grid\:\:machine:*:*:*:*:*:perl:*:*
Vendors & Products Casiano grid\
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Casiano
Casiano grid::machine
Vendors & Products Casiano
Casiano grid::machine

Sun, 29 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol. read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval() $arg .= '$VAR1'; my $val = eval "no strict; $arg"; # line 40-41 $arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response: $VAR1 = do { system("..."); }; This executes on the client silently on every RPC call, as the return values remain correct. This functionality is by design but the trust requirement for the remote host is not documented in the distribution.
Title GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization
Weaknesses CWE-502
CWE-95
References

Subscriptions

Casiano Grid::machine Grid\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-01T14:17:48.164Z

Reserved: 2026-03-25T14:56:47.454Z

Link: CVE-2026-4851

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-03-29T01:15:56.967

Modified: 2026-04-01T15:23:23.980

Link: CVE-2026-4851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:07Z

Weaknesses