PT-2026-43482 · Cpan · Io::Uncompress::Unzip

Published

2026-05-27

·

Updated

2026-06-16

·

CVE-2025-15649

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions IO::Uncompress::Unzip versions prior to 2.215
Description An uncaught exception occurs when parsing a zip header containing a malformed DOS date. The function dosToUnixTime() decodes the last-modification date field of the local-file-header and invokes Time::Local::timelocal() without an eval guard. If the date field decodes to an out-of-range month, day, or hour, timelocal() fails, causing the exception to propagate through IO::Uncompress::Unzip->new($file) instead of returning the expected undef and $UnzipError.
Recommendations Update to version 2.215 or later.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-15649
ECHO-6DE8-D6D9-D48A

Affected Products

Io::Uncompress::Unzip