CVE-2026-45191
Net::CIDR::Lite CIDR Mask Validation Bypass
Publication date: 2026-05-10
Last updated on: 2026-05-11
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1289 | The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper validation of zero-padded CIDR mask values in Net::CIDR::Lite versions before 0.24, which may allow IP ACL bypass. Detection would involve identifying usage of vulnerable Net::CIDR::Lite versions in your Perl environment and checking for CIDR mask values with extraneous zero characters such as "/00" or "/01" in ACL configurations.
Since the vulnerability is related to parsing CIDR masks, you can search your system or network configuration files or scripts for CIDR masks with leading zeros in the mask portion.
- Use grep or similar tools to find CIDR masks with zero-padded masks, e.g.: grep -rE '/0[0-9]+' /path/to/configs
- Check the installed version of Net::CIDR::Lite in your Perl environment: perl -MNet::CIDR::Lite -e 'print $Net::CIDR::Lite::VERSION . "\n";'
If the version is before 0.24, the system is vulnerable.
Can you explain this vulnerability to me?
This vulnerability exists in Net::CIDR::Lite versions before 0.24 for Perl. The issue is that the software does not properly handle extraneous zero characters in CIDR mask values. For example, mask forms like "/00" and "/01" are incorrectly accepted as valid and parse to the same prefix as their unpadded counterparts. This improper validation can lead to an IP Access Control List (ACL) bypass.
How can this vulnerability impact me? :
Because the vulnerability allows IP ACL bypass, an attacker could potentially circumvent network access restrictions that rely on CIDR mask validation. This could lead to unauthorized access to systems or resources that are supposed to be protected by IP-based ACLs.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Net::CIDR::Lite to version 0.24 or later, which includes a patch that properly validates CIDR mask values and rejects zero-padded masks.
If updating is not immediately possible, review and sanitize all CIDR mask inputs in your ACL configurations and scripts to ensure no zero-padded masks like "/00" or "/01" are used.
Apply the patch referenced in Resource 2 if you maintain your own version of Net::CIDR::Lite.