CVE-2025-15649 | THREATINT

Description

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

PUBLISHED Reserved 2026-05-26 | Published 2026-05-27 | Updated 2026-05-29 | Assigner CPANSec

Problem types

CWE-248 Uncaught Exception

Product status

Default status

unaffected

Any version before 2.215

affected

Timeline

2025-10-25:	Issue reported.
2026-01-30:	Version 2.215 released.

References

www.openwall.com/lists/oss-security/2026/05/27/1

github.com/...fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch patch

github.com/pmqs/IO-Compress/issues/65 issue-tracking

metacpan.org/release/PMQS/IO-Compress-2.215/changes release-notes

cve.org (CVE-2025-15649)

nvd.nist.gov (CVE-2025-15649)

Download JSON