CVE-2026-49941
Recursive DoS in Net::CIDR::Set Perl Module
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Net::CIDR::Set versions through 0.20 for Perl, where the software does not properly validate IP addresses.
The add method calls the _encode method to parse addresses. If the addresses do not resemble netmasks or network ranges, they are assumed to be single IP addresses and are passed back to the method as a 32-bit or 128-bit netmask.
If the argument is not a well-formed IP address, this causes indefinite recursion, which can be exploited by an attacker.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability to cause a denial of service (DoS) by triggering indefinite recursion in the IP address parsing function.