CVE-2024-45321

Vulnerability

App::cpanminus (cpanm) through version 1.7047, a lightweight Perl module installer, downloads code and metadata from CPAN using plain HTTP by default. This constitutes CWE-494: Download of Code Without Integrity Check, as no HTTPS verification is enforced. The affected versions are all releases prior to any patch that enforces HTTPS or fails securely when SSL support is absent [1][2].

Exploitation

An attacker with network position between the cpanm client and CPAN mirrors can intercept HTTP traffic and replace legitimate Perl modules or metadata with malicious content. No authentication or user interaction beyond running an unmodified cpanm command is required. The attack is feasible because cpanm does not verify SSL certificates or enforce HTTPS by default, and if SSL support is missing in the transport backend, it may silently fall back to insecure HTTP [2].

Impact

Successful exploitation allows arbitrary code execution on the victim's system with the privileges of the user running cpanm. This leads to full compromise of the Perl module installation process, potentially enabling further privilege escalation or lateral movement within the affected environment [2].

Mitigation

As of 2024-08-27, no official upstream patch is available. Users can mitigate by (1) configuring cpanm to use an HTTPS mirror via the --from option (e.g., --from https://www.cpan.org), (2) editing the cpanm executable to replace http:// URLs with https:// using a one-liner, or (3) switching to an alternative client like CPAN.pm 2.35+ or App::cpm which use HTTPS by default [2]. The pull request #674 adds SSL error handling but has not been merged upstream [1].