Fluid Attacks Database

Description

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	perl	=5.32.1-4 \|\| =5.32.1-4+deb11u1 \|\| =5.32.1-4+deb11u2 \|\| =5.32.1-4+deb11u3 \|\| =5.32.1-4+deb11u4 \|\| =5.32.1-4+deb11u5 \|\| =5.32.1-5 \|\| =5.32.1-6 \|\| =5.34.0-1 \|\| =5.34.0-2 \|\| =5.34.0-3 \|\| =5.34.0-4 \|\| =5.34.0-5 \|\| =5.34.0~rc2-1 \|\| =5.36.0-1 \|\| =5.36.0-10 \|\| =5.36.0-2 \|\| =5.36.0-3 \|\| =5.36.0-4 \|\| =5.36.0-5 \|\| =5.36.0-6 \|\| =5.36.0-7 \|\| =5.36.0-8 \|\| =5.36.0-9 \|\| =5.38.0-1 \|\| =5.38.0-2 \|\| =5.38.0~rc2-1 \|\| =5.38.2-1 \|\| =5.38.2-2 \|\| =5.38.2-3 \|\| =5.38.2-3.1 \|\| =5.38.2-3.2 \|\| =5.38.2-3.2+hurd.1 \|\| =5.38.2-4 \|\| =5.38.2-5 \|\| =5.40.0-1 \|\| =5.40.0-2 \|\| =5.40.0-3 \|\| =5.40.0-4 \|\| =5.40.0-5 \|\| =5.40.0-6 \|\| =5.40.0-7 \|\| =5.40.0-8 \|\| =5.40.0~rc1-1 \|\| =5.40.1-1 \|\| =5.40.1-2 \|\| =5.40.1-3 \|\| =5.40.1-4 \|\| =5.40.1-5 \|\| =5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1	-
debian 11	libio-compress-perl	=2.101-1 \|\| =2.102-1 \|\| =2.103-1 \|\| =2.104-1 \|\| =2.105-1 \|\| =2.201-1 \|\| =2.201-2 \|\| =2.204-1 \|\| =2.206-1 \|\| =2.207-1 \|\| =2.208-1 \|\| =2.211-1 \|\| =2.212-1 \|\| =2.213-1 \|\| =2.214-1 \|\| =2.217-1 \|\| =2.219-1 \|\| =2.219-2 \|\| =2.220-1	-
debian 12	libio-compress-perl	=2.204-1 \|\| =2.206-1 \|\| =2.207-1 \|\| =2.208-1 \|\| =2.211-1 \|\| =2.212-1 \|\| =2.213-1 \|\| =2.214-1 \|\| =2.217-1 \|\| =2.219-1 \|\| =2.219-2 \|\| =2.220-1	-
debian 14	libio-compress-perl	=2.213-1 \|\| =2.214-1 \|\| >=0 <2.217-1	2.217-1
debian 12	perl	=5.36.0-10 \|\| =5.36.0-7 \|\| =5.36.0-7+deb12u1 \|\| =5.36.0-7+deb12u2 \|\| =5.36.0-7+deb12u3 \|\| =5.36.0-8 \|\| =5.36.0-9 \|\| =5.38.0-1 \|\| =5.38.0-2 \|\| =5.38.0~rc2-1 \|\| =5.38.2-1 \|\| =5.38.2-2 \|\| =5.38.2-3 \|\| =5.38.2-3.1 \|\| =5.38.2-3.2 \|\| =5.38.2-3.2+hurd.1 \|\| =5.38.2-4 \|\| =5.38.2-5 \|\| =5.40.0-1 \|\| =5.40.0-2 \|\| =5.40.0-3 \|\| =5.40.0-4 \|\| =5.40.0-5 \|\| =5.40.0-6 \|\| =5.40.0-7 \|\| =5.40.0-8 \|\| =5.40.0~rc1-1 \|\| =5.40.1-1 \|\| =5.40.1-2 \|\| =5.40.1-3 \|\| =5.40.1-4 \|\| =5.40.1-5 \|\| =5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1	-
debian 14	perl	=5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1	-
debian 13	libio-compress-perl	=2.213-1 \|\| =2.214-1 \|\| =2.217-1 \|\| =2.219-1 \|\| =2.219-2 \|\| =2.220-1	-
debian 13	perl	=5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1	-

Aliases

1. CVE-2025-156492. NVD-2025-156493. OSV-DEBIAN-2025-156494. OSV-2025-156495. SECURITY-TRACKER-CVE-2025-15649

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.