PT-2026-41236 · Cpan · Www::Mechanize::Cached
Oalders
·
Published
2026-05-15
·
Updated
2026-05-15
·
CVE-2026-8612
CVSS v3.1
5.3
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
WWW::Mechanize::Cached versions prior to 2.00
Description
When no explicit cache backend is used, the software creates a default Cache::FileCache in
/tmp/FileCache with a directory umask of 000, resulting in a cache root and subdirectories with mode 0777 and no sticky bit. This allows a local attacker with write access to the cache tree to replace a victim's cache entry for a known URL with an arbitrary frozen HTTP::Response blob. When the victim performs a get() request for that URL, the system reads the entry using Storable::thaw. If the victim process has loaded any class with a side-effectful STORABLE thaw, DESTROY, or overload hook, this can lead to local response forgery and arbitrary code execution.Recommendations
Update to version 2.00 or later.
Exploit
Fix
Deserialization of Untrusted Data
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Www::Mechanize::Cached