PT-2025-22879 · Perl+12 · Perl+12

Vincent Lefevre

·

Published

2025-01-01

·

Updated

2026-04-14

·

CVE-2025-40909

CVSS v3.1

5.9

Medium

VectorAV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions Perl versions 5.13.6 through 5.41.12
Description The issue is related to a working directory race condition in Perl threads, where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed, which can be visible to other threads. This may lead to unintended operations, such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit.
Recommendations For Perl versions 5.13.6 through 5.41.12, upgrade to Perl 5.41.13 or apply the patch immediately to resolve the issue. As a temporary workaround, consider avoiding the creation of threads while a directory handle is open to minimize the risk of exploitation. Restrict access to sensitive files and directories to prevent unintended operations.

Exploit

Fix

DoS

Untrusted Search Path

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-426CWE-689CWE-362

Related Identifiers

ALSA-2025:11805
ALSA-2026:8096
AZL-62067
AZL-62069
BDU:2025-10307
CESA-2025_11805
CVE-2025-40909
ECHO-5693-3EFB-B660
INFSA-2025_11804
INFSA-2025_11805
MGASA-2025-0274
OESA-2025-1631
OPENSUSE-SU-2025:15258-1
RHSA-2025:11545
RHSA-2025:11804
RHSA-2025:11805
RHSA-2025:12056
RHSA-2025_11804
RHSA-2025_11805
RHSA-2026:8096
SUSE-SU-2025:02027-1
SUSE-SU-2025:02051-1
SUSE-SU-2025:20456-1
SUSE-SU-2025:20532-1
SUSE-SU-2025_02027-1
SUSE-SU-2025_02051-1
USN-7678-1

Affected Products

Almalinux
Astra Linux
Centos
Debian
Ibm Aix
Linuxmint
Apple Macos
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Perl