File Reading Vulnerability in App::Ack for Perl by PETDANCE
CVE-2026-49145
7.5HIGH
What is CVE-2026-49145?
App::Ack prior to version 3.10.0 for Perl allows arbitrary file reading through the --files-from option set in a project's .ackrc configuration file. This configuration can lead ack to access files beyond the intended project directory, potentially exposing sensitive information. The vulnerability arises because the project-source option blocklist in App::Ack::ConfigLoader does not restrict the --files-from option, enabling malicious users to point this to arbitrary file paths. It is crucial for developers to ensure their .ackrc files are not contributed to untrusted repositories to prevent exposure of unintended files.
Affected Version(s)
App::Ack 0 <= 3.10.0
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Michał Majchrowicz (AFINE)
Marcin Wyczechowski (AFINE)
