{"id":"CVE-2025-15649","summary":"IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date","details":"IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date.\n\n_dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die.\n\nThe exception propagates out of IO::Uncompress::Unzip-\u003enew($file) where callers expect undef plus $UnzipError.","modified":"2026-05-31T03:56:09.982192409Z","published":"2026-05-27T02:25:38.973Z","database_specific":{"cwe_ids":["CWE-248"],"cna_assigner":"CPANSec","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/15xxx/CVE-2025-15649.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/27/1"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/15xxx/CVE-2025-15649.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/PMQS/IO-Compress-2.215/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-15649"},{"type":"REPORT","url":"https://github.com/pmqs/IO-Compress/issues/65"},{"type":"FIX","url":"https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch"},{"type":"PACKAGE","url":"https://github.com/pmqs/IO-Compress"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pmqs/io-compress","events":[{"introduced":"0"},{"fixed":"564ecba93b8165bc60667359483feb8821fa6422"}]}],"versions":["v2.214","v2.213","v2.212","v2.211","v2.208","v2.207","v2.206","v2-205","v2.204","v2.201","v2.106","v2.105","v2.103","v2.102","v2.101","v2.100","v2.096","v2.095","v2.093","v2.092","v2.091","v2.090","v2.089","v2.088","v2.087","v2.086","v2.084","v2.083","v2.082","v2.081","v2.080","v2.074","v2.073","v2.072","v2.070","v2.069","v2.068","v2.067","v2.066","v2.064","v2.063","v2.062","v2.061","v2.060","v2.059","v2.058","v2.057","v2.055","v2.052","v2.049","v2.048","v2.047","v2.046","v2.045","v2.044","v2.043","v2.042","v2.040","v2.039","v2.037","v2.036","v2.035","v2.034","v2.033","v2.032","v2.030","v2.027","v2.026","v2.025","v2.024","v2.023","v2.022","v2.021","v2.020","v2.019","v2.018","v2.017","v2.015","v2.014","v2.012","v2.011","v2.010","v2.008","v2.007","v2.006","v2.005","v2.004","v2.003","v2.002","v2.001","v2.000_14","v2.000_13","v2.000_12","v2.000_11","v2.000_10","v2.000_09","v2.000_07","v2.000_06","v2.000_05","v2.000_04","v2.000_03","v2.000_02","v2.000_00"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-15649.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}