CVE-2025-15649

CVE-2025-15649: IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date

Vendor Pmqs
Product IO::Uncompress::Unzip
Weakness CWE-248
Published May 27, 2026
Last update May 29, 2026

CVSS base score

What the vulnerability does

01Description

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 29, 2026 Record updated