CVE-2020-16154
Description
The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
App::cpanminus 1.7044 fails to properly verify PGP signature of CHECKSUMS files, allowing attackers to bypass signature verification and install malicious modules.
## Vulnerability cpanminus (App::cpanminus) version 1.7044 [1] incorrectly validates the PGP signature of CHECKSUMS files. When Module::Signature is used, the _verify() function checks that a valid signed cleartext exists in the file but does not ensure the signature actually covers the checksums used for verification. An attacker can prepend fake checksums before the cleartext signature block, causing the verification to pass [2].
Exploitation
An attacker needs to operate a malicious CPAN mirror (or perform a man-in-the-middle attack on a network) and modify a CHECKSUMS file by adding checksums for a backdoored package at the beginning, before the PGP-signed cleartext. When the user runs cpanm with signature verification enabled, the client will accept the modified CHECKSUMS and install the malicious package [2].
Impact
Successful exploitation allows an attacker to install arbitrary Perl modules with modified code, potentially leading to remote code execution, data theft, or supply-chain compromise on the victim's system. The attacker can impersonate any CPAN module [2].
Mitigation
Update App::cpanminus to a patched version (1.7045 or later) if available. As of the references, no official patch is confirmed; however, users should ensure they use trusted HTTPS mirrors and disable signature verification unless fixed. Fedora announced a fix but the announcement page is behind a CAPTCHA [2][3].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- Perl/App::cpanminusdescription
- Range: =1.7044
- osv-coords3 versionspkg:rpm/opensuse/perl-App-cpanminus&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/perl-App-cpanminus&distro=openSUSE%20Tumbleweedpkg:rpm/suse/perl-App-cpanminus&distro=SUSE%20Package%20Hub%2015%20SP3
< 1.7045-bp153.2.3.1+ 2 more
- (no CPE)range: < 1.7045-bp153.2.3.1
- (no CPE)range: < 1.7045-1.1
- (no CPE)range: < 1.7045-bp153.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing enforcement of full-file content comparison in signature verification allows unsigned data to be prepended to a signed CHECKSUMS file."
Attack vector
An attacker who controls a CPAN mirror (or can perform a man-in-the-middle attack) prepends checksums for a malicious package to the beginning of a CHECKSUMS file, before the cleartext PGP headers [ref_id=1]. Because `Module::Signature::_verify()` does not enforce that the signed content matches the full file content, the signature check passes even though the file has been tampered with [ref_id=1]. The attacker then serves the modified CHECKSUMS alongside a backdoored distribution; when a victim runs `cpanm` against the attacker-controlled mirror, the malicious package is installed without triggering a signature verification failure [ref_id=1].
Affected code
The vulnerability resides in the `Module::Signature::_verify()` function used by App::cpanminus (cpanm). The function does not require the `sigtext` and `plaintext` arguments, so the `_compare()` check is bypassed, and `_verify()` only confirms that a valid signed cleartext exists somewhere in the CHECKSUMS file rather than verifying the entire file's integrity [ref_id=1].
What the fix does
No patch is shown in the bundle. The advisory recommends that users mitigate the issue by configuring their CPAN client to use a trusted TLS-protected (https) mirror, because signature verification can be bypassed and signed CHECKSUMS cannot be relied upon for security [ref_id=1]. A proper fix would require `Module::Signature::_verify()` to compare the full file content against the signed cleartext, ensuring that no unsigned data precedes the PGP signature block.
Preconditions
- networkThe victim's cpanm must be configured to use a mirror controlled by the attacker (or the attacker must be able to intercept and modify traffic to a legitimate mirror).
- configModule::Signature must be installed on the victim's system.
- inputThe attacker must be able to craft a malicious Perl distribution and compute its checksum.
Reproduction
1. Set up a malicious CPAN mirror: create the directory structure `cpan/authors/id/S/SR/SRI/`, download the original CHECKSUMS file from a legitimate mirror, and create a backdoored distribution (e.g., `Mojolicious-8.56.tar.gz`). 2. Compute the SHA-256 of the malicious tarball and prepend a forged checksum entry before the original CHECKSUMS content: `(echo -en "\$chksum = { '$module.tar.gz' => { sha256 => '$sha256'} };\n__END__\n"; cat CHECKSUMS_ORIG) > CHECKSUMS`. 3. Serve the malicious mirror locally (e.g., `busybox httpd -f -p 8000`). 4. Run `cpanm --mirror http://localhost:8000 Mojolicious` — the signature verification passes and the malicious code is installed [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/mitrevendor-advisoryx_refsource_FEDORA
- blog.hackeriet.no/cpan-signature-verification-vulnerabilities/mitrex_refsource_MISC
- metacpan.org/pod/App::cpanminusmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.