CVE-2025-15649
Uncaught Exception in IO::Uncompress::Unzip Due to Malformed DOS Date
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pmqs | io_compress | to 2.215 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the IO::Uncompress::Unzip Perl module versions before 2.215. When the module parses a ZIP file header containing a malformed DOS date, it calls a function (_dosToUnixTime) that converts this date to a Unix timestamp without proper error handling. Specifically, the function calls Time::Local::timelocal() without an eval guard, so if the date is out-of-range (such as an invalid month, day, or hour), timelocal() throws an exception.
Because this exception is not caught within the module, it propagates out of the IO::Uncompress::Unzip->new($file) call, causing the extraction process to abort unexpectedly instead of returning a controlled error value.
How can this vulnerability impact me? :
This vulnerability can cause the IO::Uncompress::Unzip module to abort unexpectedly when processing ZIP files with malformed timestamps. Instead of gracefully handling the error and returning a controlled failure, the module throws an uncaught exception.
As a result, applications relying on this module for ZIP extraction may terminate prematurely or fail to process certain ZIP files, potentially disrupting workflows or automated processes that handle ZIP archives.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests when the IO::Uncompress::Unzip module encounters ZIP files with malformed or invalid DOS date timestamps, causing it to abort with an error related to out-of-range date values.
To detect this vulnerability on your system, you can attempt to unzip suspicious or untrusted ZIP files using a Perl script or application that relies on IO::Uncompress::Unzip versions before 2.215 and observe if it crashes or throws exceptions related to date parsing.
A practical command to test this is to run a Perl script that uses IO::Uncompress::Unzip->new($file) on ZIP files suspected to have malformed timestamps and check for errors like "Month '-1' out of range 0..11".
Alternatively, you can compare the behavior with the standard Unix unzip command, which can extract the same files without error, to identify if the issue is specific to the vulnerable Perl module.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade IO::Uncompress::Unzip to version 2.215 or later, where the _dosToUnixTime function has been patched to handle invalid or zero datetime values safely and prevent exceptions from propagating.
If upgrading immediately is not possible, avoid processing ZIP files with potentially malformed timestamps using the vulnerable module, or use alternative tools like the standard Unix unzip command which do not exhibit this failure.
Additionally, consider validating or sanitizing ZIP files before processing them with the vulnerable Perl module to prevent triggering the exception.