CVE-2025-15649
CWE-248Published: May 27, 2026· Updated: May 29, 2026
Official Description
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date.
_dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die.
The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.
Technical Analysis
CVE-2025-15649 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (4)
Quick Facts
Related CVEs (CWE-248)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2025-15649 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts