Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e).
CVSS VectorVendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.
_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.
Arbitrary Perl in the output glob executes at the calling process's privilege.
AnalysisAI
Arbitrary Perl code execution in the IO::Compress distribution (all versions before 2.220) lets an attacker who controls the output glob string passed to the bundled File::GlobMapper run arbitrary Perl at the calling process's privilege. The output glob is wrapped in double quotes and later handed to Perl's eval STRING, so an embedded double quote escapes the string context and the trailing characters execute as code. This is rated CVSS 7.3 and tagged RCE/Code Injection; no public exploit was identified at time of analysis and EPSS is very low (0.03%), but a vendor patch (2.220) and the fixing commit are publicly available.
Technical ContextAI
IO::Compress is a core Perl distribution that provides gzip/zip/bzip2 compression interfaces, and it bundles File::GlobMapper - a helper that maps input filename globs to output filenames (e.g. globmap('*.tmp','X-#1')). Internally, _parseOutputGlob() built the output transformation by string-concatenating the caller-supplied glob inside double quotes and storing it in the parser state; _getFiles() then evaluated that stored string with eval STRING to interpolate the capture tokens (#1, #2, *). This is a textbook CWE-95 (improper neutralization of directives in dynamically evaluated code, i.e. eval injection): because the glob is interpolated into code rather than treated as data, any Perl syntax it contains is executed. The 2.220 fix replaces eval STRING in _getFiles() with a delimiter-based substitution scheme using non-printable markers (\xFF/\xFE plus escape bytes) that performs the variable substitution without ever evaluating the string as code. No CPE strings were supplied in the source data; the affected scope is taken from the ENISA EUVD range (IO::Compress < 2.220).
RemediationAI
Vendor-released patch: upgrade IO::Compress to version 2.220 or later (for example via cpan IO::Compress or your OS/Perl distribution package manager). The fix is upstream commit f2db247bf90d4cc7ee2710be384946081f3b4610, which removes the eval STRING call in _getFiles() in favor of non-evaluating delimiter-based substitution; see the MetaCPAN 2.220 changelog for confirmation. If you cannot upgrade immediately, the concrete compensating control is to ensure no untrusted or attacker-influenced data is ever passed as the OUTPUT glob argument to File::GlobMapper::globmap() (the second argument) or the equivalent IO::Compress output-glob feature - keep output patterns hard-coded or strictly allowlisted, and reject or strip literal double-quote characters from any output glob derived from user input (trade-off: this breaks legitimate output names that contain double quotes and is more fragile than upgrading). The input/match pattern is not the injection vector, so constraining only the output pattern is sufficient as a stopgap.
Same weakness CWE-95 – Eval Injection
View allSame technique Code Injection
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32048
GHSA-q6wx-vhvq-x7h6