Piedcrow

**Name of the Vulnerable Software and Affected Versions** GRID::Machine versions through 0.127 **Description** GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. A compromised or malicious remote host can execute arbitrary code on the client through unsafe deserialization in the RPC protocol. The `read operation()` function in `lib/GRID/Machine/Message.pm` deserializes values from the remote side using `eval()`. The variable `$arg` receives raw bytes from the protocol pipe, allowing a compromised remote host to embed arbitrary Perl code in the Dumper-formatted response, which is then executed on the client with every RPC call. The trust requirement for the remote host is not documented. The API endpoint is not explicitly mentioned. The vulnerable parameter is `$arg`. **Recommendations** Versions prior to 0.128 should be considered vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.