Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <334FB9C3-E9EA-414B-8F67-5C28DFCE3CA2@stig.io>
Date: Fri, 15 May 2026 03:15:50 +0200
From: Stig Palmquist <stig@...g.io>
To: cve-announce@...urity.metacpan.org,
 oss-security@...ts.openwall.com
Subject: CVE-2026-8612: WWW::Mechanize::Cached versions before 2.00 for Perl
 deserialize cached HTTP responses from a world-writable on-disk cache,
 enabling local response forgery and code execution

========================================================================
CVE-2026-8612                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-8612
  Distribution:  WWW-Mechanize-Cached
      Versions:  before 2.00

      MetaCPAN:  https://metacpan.org/dist/WWW-Mechanize-Cached
      VCS Repo:  https://github.com/libwww-perl/WWW-Mechanize-Cached


WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached
HTTP responses from a world-writable on-disk cache, enabling local
response forgery and code execution

Description
-----------
WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached
HTTP responses from a world-writable on-disk cache, enabling local
response forgery and code execution.

With no explicit cache backend, WWW::Mechanize::Cached constructs a
default Cache::FileCache under /tmp/FileCache without overriding the
backend's documented directory_umask of 000, so the cache root and its
subdirectories are created mode 0777 with no sticky bit. Cache entries
are named by sha1_hex of the request and read back through
Storable::thaw on the next cache hit.

A local attacker with write access to the cache tree can replace a
victim's cache entry for a known URL with an arbitrary frozen
HTTP::Response blob, causing the victim's next get() of that URL to
return attacker controlled response bytes. Because the bytes are passed
to Storable::thaw, a victim process that has loaded any class with a
side-effectful STORABLE_thaw, DESTROY, or overload hook can be
escalated to arbitrary code execution.

Problem types
-------------
- CWE-732 Incorrect Permission Assignment for Critical Resource
- CWE-502 Deserialization of Untrusted Data

Solutions
---------
Upgrade to WWW-Mechanize-Cached 2.00 or later.


References
----------
https://github.com/libwww-perl/WWW-Mechanize-Cached/pull/36
https://github.com/libwww-perl/WWW-Mechanize-Cached/commit/b821647deeedf83490ebc1db91d959d942300ce0.patch
https://metacpan.org/release/OALDERS/WWW-Mechanize-Cached-2.00/changes

Timeline
--------
- 2026-05-13: Issue reported.
- 2026-05-14: WWW-Mechanize-Cached 2.00 released with fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.