Denial of Service Vulnerability in IO::Uncompress::Unzip for Perl
CVE-2025-15649

Currently unrated

Key Information:

Vendor

PMQs

Status
Io::uncompress::unzip
Vendor
CVE Published:
27 May 2026

What is CVE-2025-15649?

The IO::Uncompress::Unzip module for Perl has a vulnerability that arises when parsing zip headers with malformed DOS dates. Specifically, the method dosToUnixTime() fails to handle out-of-range dates correctly. It calls Time::Local::timelocal() without an eval guard, leading to uncaught exceptions in scenarios where the date field contains invalid values. This situation can cause disruptions to the expected functionality of applications utilizing the module, propagating errors out of IO::Uncompress::Unzip->new($file) and impacting users' interaction with their applications. Mitigation is advised by upgrading to versions 2.215 or later.

Affected Version(s)

IO::Uncompress::Unzip 0 < 2.215

References

https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee...
patch
https://github.com/pmqs/IO-Compress/issues/65
issue-tracking
https://metacpan.org/release/PMQS/IO-Compress-2.215/changes
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.