VDB
CVE-2021-4456
CVE-2021-4456
PUBLISHED
CVSS 9.300000190734863 CRITICAL
Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses. The documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. However, this mitigation is optional and not enforced by default. In practice, users may call `addr2cidr` or `cidrlookup` with untrusted input and without validation, incorrectly assuming that this is safe.
EPSS 0.07% · 22.2th percentile
Risk Scores
CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.07%
22.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| MRSAM | Net::CIDR | 0, 0, 0 |
| mrsam | net\ | \, *, \ |
Exploit Intelligence
Timeline
- Feb 27, 2026 EPSS Score
- Feb 27, 2026 CVE Published
- Feb 27, 2026 CVE Updated
- Feb 28, 2026 EPSS Score
- Mar 2, 2026 EPSS Score
- Mar 3, 2026 EPSS Score
- Mar 5, 2026 EPSS Score
- Mar 6, 2026 EPSS Score
- Mar 8, 2026 EPSS Score
- Mar 9, 2026 EPSS Score
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
References
- https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ url
- https://github.com/svarshavchik/Net-CIDR/commit/e3648c6bc6bdd018f90cca4149c467017d42bd10 patch
- https://metacpan.org/dist/Net-CIDR/changes url
- https://nvd.nist.gov/vuln/detail/CVE-2021-4456 advisory
- https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros url