Skip to main content

WWW::Mechanize::Cached CVE-2026-8612

| EUVDEUVD-2026-30495 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-05-15 CPANSec GHSA-38r9-g25v-vcvr
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Source Code Evidence Fetched
May 15, 2026 - 15:27 vuln.today
Analysis Generated
May 15, 2026 - 15:27 vuln.today
CVSS changed
May 15, 2026 - 15:22 NVD
5.3 (MEDIUM)
CVE Published
May 15, 2026 - 01:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution.

With no explicit cache backend, WWW::Mechanize::Cached constructs a default Cache::FileCache under /tmp/FileCache without overriding the backend's documented directory_umask of 000, so the cache root and its subdirectories are created mode 0777 with no sticky bit. Cache entries are named by sha1_hex of the request and read back through Storable::thaw on the next cache hit.

A local attacker with write access to the cache tree can replace a victim's cache entry for a known URL with an arbitrary frozen HTTP::Response blob, causing the victim's next get() of that URL to return attacker controlled response bytes. Because the bytes are passed to Storable::thaw, a victim process that has loaded any class with a side-effectful STORABLE_thaw, DESTROY, or overload hook can be escalated to arbitrary code execution.

AnalysisAI

Local privilege escalation in WWW::Mechanize::Cached for Perl (versions before 2.00) allows authenticated local attackers to inject malicious cached HTTP responses and achieve arbitrary code execution. The module creates world-writable cache directories under /tmp/FileCache with 0777 permissions, enabling any local user to replace cached responses that are deserialized via Storable::thaw. EPSS exploitation probability is low (0.05%, 16th percentile) and no active exploitation is confirmed at time of analysis. Vendor-released patch available in version 2.00 with upstream fix confirmed via GitHub commit b821647.

Technical ContextAI

WWW::Mechanize::Cached is a Perl library that extends WWW::Mechanize with disk-based caching of HTTP responses using the Cache::FileCache backend. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource). When no explicit cache backend is provided, the module instantiates Cache::FileCache with default settings that create cache directories under /tmp/FileCache with directory_umask=000, resulting in mode 0777 permissions without the sticky bit. Cache entries are keyed by sha1_hex of the HTTP request and stored as serialized Storable blobs. On cache hits, the module deserializes these blobs using Storable::thaw, which triggers special hooks (STORABLE_thaw, DESTROY, or overload methods) in any loaded Perl classes. The CPE identifier cpe:2.3:a:oalders:www::mechanize::cached confirms this affects the CPAN distribution maintained by OALDERS.

RemediationAI

Upgrade to WWW::Mechanize::Cached version 2.00 or later, which relocates the default cache from /tmp/FileCache to XDG_CACHE_HOME (typically ~/.cache/WWW-Mechanize-Cached) and enforces directory_umask=077 to create owner-only cache directories. The fix is confirmed by GitHub commit b821647deeedf83490ebc1db91d959d942300ce0 and pull request https://github.com/libwww-perl/WWW-Mechanize-Cached/pull/36. After upgrading, manually remove any existing /tmp/FileCache directories as they are no longer used by version 2.00+. For systems that cannot immediately upgrade, implement compensating controls: explicitly pass a Cache::FileCache object with cache_root pointing to a user-private directory (mode 0700) and directory_umask=>077, for example: Cache::FileCache->new({namespace=>'mymech', cache_root=>'/home/user/.mycache', directory_umask=>077}). Note this workaround requires application code changes and does not protect other processes on the system still using default settings. On multi-user systems, consider restricting /tmp with filesystem mount options (noexec) as defense-in-depth, though this does not prevent cache poisoning.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-8612 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy