VYPR
Medium severity5.5NVD Advisory· Published May 27, 2026· Updated May 29, 2026

CVE-2025-15649

CVE-2025-15649

Description

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date.

_dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die.

The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Pmqs/Io Compressreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <2.215

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.