CVE-2025-15649
Deferred Deferred - Pending Action
Uncaught Exception in IO::Uncompress::Unzip Due to Malformed DOS Date

Publication date: 2026-05-27

Last updated on: 2026-05-29

Assigner: CPANSec

Description
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15649
EUVD
EUVD-2025-209949
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pmqs io_compress to 2.215 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the IO::Uncompress::Unzip Perl module versions before 2.215. When the module parses a ZIP file header containing a malformed DOS date, it calls a function (_dosToUnixTime) that converts this date to a Unix timestamp without proper error handling. Specifically, the function calls Time::Local::timelocal() without an eval guard, so if the date is out-of-range (such as an invalid month, day, or hour), timelocal() throws an exception.

Because this exception is not caught within the module, it propagates out of the IO::Uncompress::Unzip->new($file) call, causing the extraction process to abort unexpectedly instead of returning a controlled error value.

Impact Analysis

This vulnerability can cause the IO::Uncompress::Unzip module to abort unexpectedly when processing ZIP files with malformed timestamps. Instead of gracefully handling the error and returning a controlled failure, the module throws an uncaught exception.

As a result, applications relying on this module for ZIP extraction may terminate prematurely or fail to process certain ZIP files, potentially disrupting workflows or automated processes that handle ZIP archives.

Detection Guidance

This vulnerability manifests when the IO::Uncompress::Unzip module encounters ZIP files with malformed or invalid DOS date timestamps, causing it to abort with an error related to out-of-range date values.

To detect this vulnerability on your system, you can attempt to unzip suspicious or untrusted ZIP files using a Perl script or application that relies on IO::Uncompress::Unzip versions before 2.215 and observe if it crashes or throws exceptions related to date parsing.

A practical command to test this is to run a Perl script that uses IO::Uncompress::Unzip->new($file) on ZIP files suspected to have malformed timestamps and check for errors like "Month '-1' out of range 0..11".

Alternatively, you can compare the behavior with the standard Unix unzip command, which can extract the same files without error, to identify if the issue is specific to the vulnerable Perl module.

Mitigation Strategies

The primary mitigation is to upgrade IO::Uncompress::Unzip to version 2.215 or later, where the _dosToUnixTime function has been patched to handle invalid or zero datetime values safely and prevent exceptions from propagating.

If upgrading immediately is not possible, avoid processing ZIP files with potentially malformed timestamps using the vulnerable module, or use alternative tools like the standard Unix unzip command which do not exhibit this failure.

Additionally, consider validating or sanitizing ZIP files before processing them with the vulnerable Perl module to prevent triggering the exception.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15649. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart