CVE-2025-15649: CWE-248 Uncaught Exception in PMQS IO::Uncompress::Unzip
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.
AI Analysis
Technical Summary
The vulnerability arises because IO::Uncompress::Unzip improperly handles malformed DOS date fields in zip headers. Specifically, _dosToUnixTime() decodes the last-modification date and calls Time::Local::timelocal() without an eval guard, leading to an uncaught exception if the date is invalid. This causes the exception to propagate out of the constructor method where callers anticipate a controlled error return (undef plus $UnzipError), potentially disrupting normal error handling flows.
Potential Impact
The impact is that malformed zip files with invalid DOS date fields can cause IO::Uncompress::Unzip to throw uncaught exceptions, potentially leading to application crashes or denial of service in software relying on this module. There is no indication of code execution or data corruption beyond the exception propagation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should validate or sanitize zip files before processing or implement their own exception handling around IO::Uncompress::Unzip->new calls to catch potential exceptions.
CVE-2025-15649: CWE-248 Uncaught Exception in PMQS IO::Uncompress::Unzip
Description
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because IO::Uncompress::Unzip improperly handles malformed DOS date fields in zip headers. Specifically, _dosToUnixTime() decodes the last-modification date and calls Time::Local::timelocal() without an eval guard, leading to an uncaught exception if the date is invalid. This causes the exception to propagate out of the constructor method where callers anticipate a controlled error return (undef plus $UnzipError), potentially disrupting normal error handling flows.
Potential Impact
The impact is that malformed zip files with invalid DOS date fields can cause IO::Uncompress::Unzip to throw uncaught exceptions, potentially leading to application crashes or denial of service in software relying on this module. There is no indication of code execution or data corruption beyond the exception propagation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should validate or sanitize zip files before processing or implement their own exception handling around IO::Uncompress::Unzip->new calls to catch potential exceptions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-26T18:17:10.655Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16660ce29bf47b50903576
Added to database: 5/27/2026, 3:33:32 AM
Last enriched: 5/27/2026, 3:49:18 AM
Last updated: 5/29/2026, 4:49:20 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.