Vulnerability Report

CVE-2021-4456

Title: IP CIDR mishandling in Net::CIDR for Perl

Other

Proof Of Concept

No public PoC currently indexed for CVE-2021-4456.

CWE Category CWE-704

Published Date Feb 27, 2026

Modified Date Mar 03, 2026

Exploit Status Not Found

Score 6.5 CVSS v

Exploit Probability (EPSS)

0.07%

Vulnerability Summary

CVE-2021-4456: Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses. The documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. However, this mitigation is optional and not enforced by default. In practice, users may call `addr2cidr` or `cidrlookup` with untrusted input and without validation, incorrectly assuming that this is safe.

Impacted Vendors

net-dns 1

mrsam 1

Reference Links

https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ https://github.com/svarshavchik/Net-CIDR/commit/e3648c6bc6bdd018f90cca4149c467017d42bd10 https://metacpan.org/dist/Net-CIDR/changes

CVSS v3.1

Source Entity 134c704f-9b21-4f2e-91b3-4a467353bcc0

Severity MEDIUM

6.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns