Home > Vulnerability Database > CVE-2025-40909

Mend.io Vulnerability Database

CVE-2025-40909

Good to know:

Date: May 30, 2025

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

Severity Score

5.9

Related Resources (17)

Url: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226

Url: https://github.com/Perl/perl5/issues/23010

Url: https://www.openwall.com/lists/oss-security/2025/05/22/2

Url: https://security-tracker.debian.org/tracker/CVE-2025-40909

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-40909

Url: https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e

Url: https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch

Url: https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads

Url: https://github.com/Perl/perl5/issues/10387

Url: http://www.openwall.com/lists/oss-security/2025/05/30/4

Url: http://www.openwall.com/lists/oss-security/2025/05/23/1

Url: http://www.openwall.com/lists/oss-security/2025/06/02/5

Url: http://www.openwall.com/lists/oss-security/2025/06/02/2

Url: http://www.openwall.com/lists/oss-security/2025/06/03/1

Url: http://www.openwall.com/lists/oss-security/2025/06/02/6

Url: http://www.openwall.com/lists/oss-security/2025/06/02/7

Url: https://www.mend.io/vulnerability-database/CVE-2025-40909

Severity Score

5.9

Weakness Type (CWE)

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

Untrusted Search Path

CWE-426

Permission Race Condition During Resource Copy

CWE-689

Top Fix

Upgrade Version

Upgrade to version https://github.com/Perl/perl5.git - v5.41.13

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-40909

Good to know:

Date: May 30, 2025

Severity Score

Related Resources (17)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?