CVE-2025-40911

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

—

Description

Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2025-40911 NameCVE-2025-40911 DescriptionNet::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who…

CVE-2025-40911

Name	CVE-2025-40911
Description	Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1106699

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libnet-cidr-set-perl (PTS)	bullseye	0.13-3	vulnerable
	bookworm	0.13-4	vulnerable
	trixie	0.15-1	fixed
	forky	0.20-1	fixed
	sid	0.21-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libnet-cidr-set-perl	source	(unstable)	0.15-1			1106699

Notes

[bookworm] - libnet-cidr-set-perl <no-dsa> (Minor issue)
[bullseye] - libnet-cidr-set-perl <postponed> (Minor issue)
https://lists.security.metacpan.org/cve-announce/msg/29942240/
Fixed by: https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a (v0.14)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

[bookworm] - libnet-cidr-set-perl <no-dsa> (Minor issue)[bullseye] - libnet-cidr-set-perl <postponed> (Minor issue)https://lists.security.metacpan.org/cve-announce/msg/29942240/Fixed by: https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a (v0.14)

OS impact

Debian Mixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0.15-1`
sid	Fixed	`0.15-1`
forky	Fixed	`0.15-1`
bullseye	Affected	—
bookworm	Affected	—

References

https://security-tracker.debian.org/tracker/CVE-2025-40911

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.