CVE-2025-15638: CWE-1395 Dependency on Vulnerable Third-Party Component in ATRODO Net::Dropbear
Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.
AI Analysis
Technical Summary
CVE-2025-15638 identifies a vulnerability in ATRODO's Net::Dropbear Perl module versions prior to 0.14 due to the inclusion of outdated libtomcrypt versions (v1.18.1 or earlier). These libtomcrypt versions are known to be vulnerable to CVE-2016-6129 and CVE-2018-12437. Since Net::Dropbear bundles Dropbear 2019.78 or earlier, it inherits these vulnerable cryptographic components. The vulnerability is categorized under CWE-1395, indicating dependency on a vulnerable third-party component. No CVSS score or vendor remediation information is currently available.
Potential Impact
The impact arises from the inclusion of vulnerable cryptographic library versions within Net::Dropbear, potentially exposing users to risks associated with CVE-2016-6129 and CVE-2018-12437. However, no specific exploitation details or active exploits have been reported. The lack of an official patch or remediation guidance means the vulnerability remains unaddressed in affected versions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider upgrading to Net::Dropbear version 0.14 or later if available, or manually updating the libtomcrypt dependency to a non-vulnerable version. Monitoring the vendor's communications for updates is recommended.
CVE-2025-15638: CWE-1395 Dependency on Vulnerable Third-Party Component in ATRODO Net::Dropbear
Description
Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-15638 identifies a vulnerability in ATRODO's Net::Dropbear Perl module versions prior to 0.14 due to the inclusion of outdated libtomcrypt versions (v1.18.1 or earlier). These libtomcrypt versions are known to be vulnerable to CVE-2016-6129 and CVE-2018-12437. Since Net::Dropbear bundles Dropbear 2019.78 or earlier, it inherits these vulnerable cryptographic components. The vulnerability is categorized under CWE-1395, indicating dependency on a vulnerable third-party component. No CVSS score or vendor remediation information is currently available.
Potential Impact
The impact arises from the inclusion of vulnerable cryptographic library versions within Net::Dropbear, potentially exposing users to risks associated with CVE-2016-6129 and CVE-2018-12437. However, no specific exploitation details or active exploits have been reported. The lack of an official patch or remediation guidance means the vulnerability remains unaddressed in affected versions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider upgrading to Net::Dropbear version 0.14 or later if available, or manually updating the libtomcrypt dependency to a non-vulnerable version. Monitoring the vendor's communications for updates is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-04-20T12:20:50.153Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e79f4219fe3cd2cde23981
Added to database: 4/21/2026, 4:01:06 PM
Last enriched: 4/21/2026, 4:16:17 PM
Last updated: 4/21/2026, 6:11:49 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.