CVE-2011-10043
Received Received - Intake

Arbitrary Code Execution in Perl Module::Load

Vulnerability report for CVE-2011-10043, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: CPANSec

Description

Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module paths. Attackers able to influence module names passed to load could use that bug to execute arbitrary code.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-145 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in Module::Load versions before 0.22 for Perl, where module names starting with "::" can be passed to the load function to specify arbitrary module paths outside of the standard @INC directories.

This flaw allows attackers who can influence the module names passed to the load function to execute arbitrary code by loading modules from unintended locations.

The root cause is Perl's design where the require function conflates loading modules and files, making it difficult to securely load modules from variables without risk of arbitrary code execution.

Impact Analysis

If an attacker can control the module names passed to the load function, they can exploit this vulnerability to execute arbitrary code on the affected system.

This could lead to unauthorized actions such as data theft, system compromise, or further exploitation depending on the privileges of the Perl process.

Mitigation Strategies

To mitigate this vulnerability in Module::Load versions before 0.22, avoid using the load function with module names starting with "::" as it allows loading arbitrary module paths and can lead to arbitrary code execution.

A recommended approach is to avoid relying on insecure module loading methods and instead use safer alternatives. According to the discussion in Resource 1, the best long-term fix is to use Perl's newer operations such as require_module for securely loading modules from @INC, which eliminates the ambiguity and security risks present in the older load or require functions.

Until such fixes are applied, review and sanitize any input that influences module names passed to load functions to prevent attackers from specifying arbitrary module paths.

Compliance Impact

The provided information does not specify how the vulnerability in Module::Load affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2011-10043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart