CVE-2025-15649
Essential information
- Published
- 27/05/2026 04:16
- Modified
- 27/05/2026 19:38
- Author
- —
- Creator
- —
- CISA KEV
- No
- CWE
- —
- CVSS vector
- — — —
Description
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date.
_dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die.
The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.
NVD status
- Status
- Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- 9b29abf9-4ab0-4765-b253-1875cd9b441e
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| perl / io | cpe:2.3:a:perl:io::uncompress::unzip:<2.215:*:*:*:*:*:* |