CVE-2026-45190
Received Received - Intake
IP ACL Bypass in Net::CIDR::Lite Perl Module

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: CPANSec

Description
Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true See also CVE-2026-45191.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-05-11
AI Q&A
2026-05-11
EPSS Evaluated
N/A
NVD
CVE-2026-45190
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1289 The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

Net::CIDR::Lite versions before 0.24 for Perl do not properly validate IP address and CIDR mask inputs. This improper validation allows inputs containing trailing newline or non-ASCII digit characters to pass the validators. However, these inputs are then re-encoded by the parser to a different address than the input string spelled.

As a result, the find() and bin_find() functions may incorrectly match or miss addresses, potentially allowing IP Access Control List (ACL) bypass.

For example, adding the address "::1\n/128" and then searching for "::1a" incorrectly returns true, demonstrating the bypass.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to bypass IP-based access control lists (ACLs). Because the input validation is flawed, malicious inputs can be crafted to evade IP filtering rules.

This means unauthorized users or systems might gain access to resources or services that are supposed to be restricted based on IP addresses.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability arises from improper validation of IP address and CIDR mask inputs in Net::CIDR::Lite versions before 0.24 for Perl, which may allow IP ACL bypass. Detection involves checking if your system or network uses a vulnerable version of Net::CIDR::Lite.

Since the issue is in the Perl module's handling of IP addresses with trailing newline or non-ASCII digit characters, you can test for the vulnerability by running Perl scripts that add such inputs and check if the find() method incorrectly returns true.

Example test commands in Perl might include:

  • my $cidr = Net::CIDR::Lite->new();
  • $cidr->add("::1\n/128");
  • $cidr->find("::1a"); # should not return true if not vulnerable

If the find() method returns true for such inputs, it indicates the vulnerability is present.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Net::CIDR::Lite to version 0.24 or later, where proper validation of IP address and CIDR mask inputs is implemented.

Until an upgrade is possible, avoid using inputs containing trailing newlines or non-ASCII digit characters in IP address or CIDR mask fields to prevent ACL bypass.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart