EUVD-2025-18120
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow. CryptX embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328.
Analysis
Perl CryptX before version 0.087 contains an embedded version of the libtommath library vulnerable to integer overflow (CVE-2023-36328), enabling remote code execution with no authentication required. This affects all users of vulnerable CryptX versions; attackers can exploit the integer overflow to achieve complete system compromise including confidentiality, integrity, and availability breaches. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector and no user interaction requirements.
Technical Context
The vulnerability stems from an integer overflow flaw in libtommath, a mathematical library used for cryptographic operations. CryptX, a Perl module providing cryptographic functionality via XS bindings, embeds an outdated version of libtommath that fails to properly validate integer operations during mathematical calculations. Integer overflows in cryptographic libraries can lead to buffer overflows, memory corruption, or logic flaws in cryptographic implementations. The affected component is used internally by CryptX for operations like modular exponentiation and big integer arithmetic. The root cause is improper input validation or bounds checking in integer arithmetic operations (CWE category: Improper Input Validation / Integer Overflow). CPE affected: cpe:2.3:a:perl:cryptx:*:*:*:*:*:*:*:* (versions prior to 0.087).
Affected Products
Perl CryptX (< 0.087); libtommath (as embedded in CryptX); All Perl applications depending on CryptX < 0.087
Remediation
- action: Immediate patch deployment; details: Upgrade Perl CryptX to version 0.087 or later. This version contains an updated libtommath library patched for CVE-2023-36328.; method: cpan[m] install CryptX or update via system package manager (apt, brew, yum, etc.) - action: Version verification; details: Verify CryptX version post-upgrade using: perl -e 'use CryptX; print $CryptX::VERSION'; expected_version: >= 0.087 - action: Dependency scanning; details: Audit all Perl applications and dependencies for CryptX usage. Use tools like 'cpan-audit' or 'perl-criticize' to identify vulnerable versions in production environments. - action: No practical workarounds; details: Integer overflow vulnerabilities cannot be mitigated without code-level fixes. Patching is mandatory; workarounds like input validation at application layer are insufficient for cryptographic library vulnerabilities. - action: Mitigation during patch window; details: Restrict network exposure of services using CryptX if immediate patching is impossible. However, given the criticality, patching should occur within hours, not days.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| oracular | ignored | end of life, was needs-triage |
| plucky | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
Debian
Bug #1107697| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 0.069-1 | - |
| bookworm | vulnerable | 0.077-1 | - |
| trixie | vulnerable | 0.085-1 | - |
| forky, sid | fixed | 0.087-1 | - |
| (unstable) | fixed | 0.087-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today