Description
WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution.

With no explicit cache backend, WWW::Mechanize::Cached constructs a default Cache::FileCache under /tmp/FileCache without overriding the backend's documented directory_umask of 000, so the cache root and its subdirectories are created mode 0777 with no sticky bit. Cache entries are named by sha1_hex of the request and read back through Storable::thaw on the next cache hit.

A local attacker with write access to the cache tree can replace a victim's cache entry for a known URL with an arbitrary frozen HTTP::Response blob, causing the victim's next get() of that URL to return attacker controlled response bytes. Because the bytes are passed to Storable::thaw, a victim process that has loaded any class with a side-effectful STORABLE_thaw, DESTROY, or overload hook can be escalated to arbitrary code execution.
Published: 2026-05-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a local code execution flaw caused by deserializing cached HTTP responses in the WWW::Mechanize::Cached Perl module. Cached responses are stored as frozen blobs and later recovered with Storable::thaw. If a non‑privileged attacker can write to the cache directory, they can replace a victim’s cached entry with a crafted blob. When the victim’s process retrieves the URL, Storable::thaw processes the malicious data, triggering any side‑effectful STORABLE_thaw, DESTROY, or overload hooks that may be defined by loaded classes. This chain can execute arbitrary code in the context of the victim process.

Affected Systems

The affected product is WWW::Mechanize::Cached distributed by OALDERS. All releases prior to version 2.00 are vulnerable. These releases construct a default Cache::FileCache tree under /tmp/FileCache without enforcing a restrictive directory_umask, resulting in directories created with 0777 permissions. The absence of a sticky bit and the world‑writable nature of the cache allow any local user with write access to the directory to alter cache entries.

Risk and Exploitability

Because the flaw requires only local write access to the cache tree, the attack vector is a local attacker with file‑system privileges on the same host as the target process. The exploit is straightforward: inject a malicious frozen HTTP::Response and wait for the victim to request the URL. The EPSS score of 0.00051 indicates a low exploitation probability, and the vulnerability is not listed in KEV, but the inherent possibility of arbitrary code execution combined with the low barrier to attack portends a high risk. Administrators should treat this as an immediate threat until resolved, especially on systems where the default cache path is globally writable.

Generated by OpenCVE AI on May 15, 2026 at 18:05 UTC.

Remediation

Vendor Solution

Upgrade to WWW-Mechanize-Cached 2.00 or later.

OpenCVE Recommended Actions

  • Upgrade to WWW-Mechanize-Cached version 2.00 or later, which already addresses the deserialization flaw (CWE‑502).
  • If an upgrade is not immediately possible, configure Cache::FileCache to use a non‑world‑writable directory, set permissions to 0700, add a sticky bit, or set a restrictive directory_umask to mitigate Incorrect Permission Assignment (CWE‑732).
  • Ensure that no modules with side‑effectful STORABLE_thaw, DESTROY, or overload hooks are loaded, or temporarily disable the use of Storable::thaw in the application code to avoid deserialization exploitation.

Generated by OpenCVE AI on May 15, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 06:30:00 +0000

Type Values Removed Values Added
References

Fri, 15 May 2026 02:00:00 +0000

Type Values Removed Values Added
Description WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution. With no explicit cache backend, WWW::Mechanize::Cached constructs a default Cache::FileCache under /tmp/FileCache without overriding the backend's documented directory_umask of 000, so the cache root and its subdirectories are created mode 0777 with no sticky bit. Cache entries are named by sha1_hex of the request and read back through Storable::thaw on the next cache hit. A local attacker with write access to the cache tree can replace a victim's cache entry for a known URL with an arbitrary frozen HTTP::Response blob, causing the victim's next get() of that URL to return attacker controlled response bytes. Because the bytes are passed to Storable::thaw, a victim process that has loaded any class with a side-effectful STORABLE_thaw, DESTROY, or overload hook can be escalated to arbitrary code execution.
Title WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution
Weaknesses CWE-502
CWE-732
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-15T14:31:14.593Z

Reserved: 2026-05-14T16:30:23.954Z

Link: CVE-2026-8612

cve-icon Vulnrichment

Updated: 2026-05-15T05:18:42.682Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-15T02:16:23.843

Modified: 2026-05-15T15:16:56.763

Link: CVE-2026-8612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T18:15:05Z

Weaknesses