Skip to main content

IO::Uncompress::Unzip CVE-2025-15649

| EUVDEUVD-2025-209949 MEDIUM
Uncaught Exception (CWE-248)
2026-05-27 CPANSec GHSA-hcq9-8v5x-mqjp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
May 29, 2026 - 18:32 vuln.today
Analysis Generated
May 29, 2026 - 18:32 vuln.today
CVSS changed
May 29, 2026 - 16:27 NVD
5.5 (MEDIUM)
CVE Published
May 27, 2026 - 02:25 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date.

_dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die.

The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

AnalysisAI

Uncaught exception in IO::Uncompress::Unzip before version 2.215 for Perl causes application-level denial of service when parsing ZIP files containing malformed DOS date fields. The _dosToUnixTime() function calls Time::Local::timelocal() without an eval guard, so a ZIP header encoding an out-of-range month, day, or hour causes timelocal() to die, propagating the exception to the caller rather than returning undef with a populated $UnzipError as callers expect. Any Perl application that processes untrusted ZIP files locally is affected; no public exploit has been identified at time of analysis, and EPSS exploitation probability is negligible at 0.02%.

Technical ContextAI

IO::Uncompress::Unzip is a core Perl decompression module distributed as part of the IO-Compress distribution by PMQS (cpe:2.3:a:pmqs:io::uncompress::unzip:*:*:*:*:*:*:*:*). The vulnerability resides in _dosToUnixTime(), which decodes the 32-bit MS-DOS timestamp stored in each ZIP local-file-header entry and converts it via Perl's Time::Local::timelocal(). The MS-DOS date format encodes year, month, day, hour, minute, and second in bit fields; crafted or corrupt ZIP archives can encode field values that exceed the ranges timelocal() accepts (e.g., month > 11, day > 31, hour > 23). When such a value is decoded, timelocal() throws a fatal Perl exception rather than returning an error code. Because the call site wraps no eval guard, the exception unwinds past IO::Uncompress::Unzip->new(), breaking the module's documented error-handling contract. The root cause is CWE-248 (Uncaught Exception): the library's internal error-propagation model diverges from Perl idiomatic practice when integrating with a function that uses exception-based signalling. The fix confirmed in the commit at fd28c1d2 adds an eval {} block around the timelocal() call and returns 0 when $dt is zero or unparseable, restoring the expected behavior.

RemediationAI

Upgrade IO-Compress to version 2.215 or later, which wraps the Time::Local::timelocal() call in an eval block and short-circuits on zero or unparseable timestamps, restoring the expected undef-plus-$UnzipError contract. The patch commit is publicly available at https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch and the release is indexed on MetaCPAN at https://metacpan.org/release/PMQS/IO-Compress-2.215/changes. On systems using cpan or cpanm, run cpanm IO::Compress to pull the latest release. For environments where upgrading is not immediately feasible, callers can wrap their own IO::Uncompress::Unzip->new() invocations in an eval {} block, catching the propagated exception and treating it as a parse failure; this is a code-level workaround with no side effects beyond added verbosity. Input validation - pre-screening ZIP headers for out-of-range DOS date fields before passing to the module - is theoretically possible but complex to implement correctly given the DOS timestamp bit-field encoding and is not recommended as a primary control.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2025-15649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy