[oss-security] CVE-2026-8612: WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution

Thu, 14 May 2026 18:17:45 -0700 

========================================================================
CVE-2026-8612                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-8612
  Distribution:  WWW-Mechanize-Cached
      Versions:  before 2.00

      MetaCPAN:  https://metacpan.org/dist/WWW-Mechanize-Cached
      VCS Repo:  https://github.com/libwww-perl/WWW-Mechanize-Cached


WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached
HTTP responses from a world-writable on-disk cache, enabling local
response forgery and code execution

Description
-----------
WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached
HTTP responses from a world-writable on-disk cache, enabling local
response forgery and code execution.

With no explicit cache backend, WWW::Mechanize::Cached constructs a
default Cache::FileCache under /tmp/FileCache without overriding the
backend's documented directory_umask of 000, so the cache root and its
subdirectories are created mode 0777 with no sticky bit. Cache entries
are named by sha1_hex of the request and read back through
Storable::thaw on the next cache hit.

A local attacker with write access to the cache tree can replace a
victim's cache entry for a known URL with an arbitrary frozen
HTTP::Response blob, causing the victim's next get() of that URL to
return attacker controlled response bytes. Because the bytes are passed
to Storable::thaw, a victim process that has loaded any class with a
side-effectful STORABLE_thaw, DESTROY, or overload hook can be
escalated to arbitrary code execution.

Problem types
-------------
- CWE-732 Incorrect Permission Assignment for Critical Resource
- CWE-502 Deserialization of Untrusted Data

Solutions
---------
Upgrade to WWW-Mechanize-Cached 2.00 or later.


References
----------
https://github.com/libwww-perl/WWW-Mechanize-Cached/pull/36
https://github.com/libwww-perl/WWW-Mechanize-Cached/commit/b821647deeedf83490ebc1db91d959d942300ce0.patch
https://metacpan.org/release/OALDERS/WWW-Mechanize-Cached-2.00/changes

Timeline
--------
- 2026-05-13: Issue reported.
- 2026-05-14: WWW-Mechanize-Cached 2.00 released with fix.

Reply via email to