Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses
Summary
| CVE | CVE-2025-40910 |
|---|---|
| State | PUBLISHED |
| Assigner | CPANSec |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-06-27 13:15:24 UTC |
| Updated | 2026-07-03 13:16:54 UTC |
| Description | Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. |
Risk And Classification
Primary CVSS: v3.1 6.5 MEDIUM from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Problem Types: CWE-1287 | CWE-1287 CWE-1287 Improper Validation of Specified Type of Input
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| metacpan.org/release/TPODER/Net-IP-LPM-1.10/diff/TPODER/Net-IP-LPM-1.09/li... | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | |
| blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros | 9b29abf9-4ab0-4765-b253-1875cd9b441e | blog.urth.org | |
| rt.cpan.org/Ticket/Display.html | 9b29abf9-4ab0-4765-b253-1875cd9b441e | rt.cpan.org | |
| security.metacpan.org/patches/N/Net-IP-LPM/1.10/CVE-2025-40910-r1.patch | 9b29abf9-4ab0-4765-b253-1875cd9b441e | security.metacpan.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Workarounds
CNA: Apply the patch.
There are currently no legacy QID mappings associated with this CVE.