Description
Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.

The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.

If the argument was not a well-formed IP address, then this would lead to indefinite recursion.

An attacker could use this to cause a denial of service.
Published: 2026-06-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::CIDR::Set versions up to 0.20 failed to validate IP addresses supplied to the add method. When the input did not resemble a netmask or network range, the library treated it as a single IP and recursively passed it back to itself via the _encode routine. This unbounded recursion can exhaust system resources and crash the process, resulting in a denial of service. The flaw does not provide a path to arbitrary code execution or data disclosure; it merely impacts availability.

Affected Systems

The affected product is Net::CIDR::Set from the vendor RRWO. All releases through version 0.20 are impacted, including 0.20 and all earlier iterations that lack the validation safeguard.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk, and EPSS data are not available, so the threat assessment relies on the description. The vulnerability can be triggered by supplying a malformed IP to the add routine, a scenario that could arise from untrusted input in Perl applications that import this module. Though the attack surface requires the attacker to influence the invocation of add, it can lead to a noticeable denial of service. The issue is not listed in CISA's KEV catalog, indicating it has not been observed as a widely exploited vulnerability in the wild.

Generated by OpenCVE AI on June 4, 2026 at 19:22 UTC.

Remediation

Vendor Solution

Upgrade to version 0.21 of later.

OpenCVE Recommended Actions

  • Upgrade Net::CIDR::Set to version 0.21 or later to apply the input‑validation patch.
  • Prior to using add, validate any IP input with a reliable IP validation routine or regex; reject malformed addresses to prevent unintended recursion.
  • Audit all Perl scripts that use Net::CIDR::Set and replace direct calls to add with a wrapper that enforces validation, or substitute the module with a more secure alternative until the official patch can be applied.

Generated by OpenCVE AI on June 4, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Rrwo net\
CPEs cpe:2.3:a:rrwo:net\:\:cidr\:\:set:*:*:*:*:*:perl:*:*
Vendors & Products Rrwo net\

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rrwo
Rrwo net::cidr::set
Vendors & Products Rrwo
Rrwo net::cidr::set

Thu, 04 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.
Title Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses
Weaknesses CWE-1287
CWE-674
References

Subscriptions

Rrwo Net::cidr::set Net\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-04T18:45:40.658Z

Reserved: 2026-06-02T16:06:23.069Z

Link: CVE-2026-49941

cve-icon Vulnrichment

Updated: 2026-06-04T18:45:40.658Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T17:16:33.173

Modified: 2026-06-08T16:37:29.237

Link: CVE-2026-49941

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:07:30Z

Weaknesses
  • CWE-1287

    Improper Validation of Specified Type of Input

  • CWE-674

    Uncontrolled Recursion