CVE-2025-30673: 
Linux Debian vulnerability analysis and mitigation

Sub::HandlesVia for Perl before version 0.050002 contains a security vulnerability (CVE-2025-30673) that allows untrusted code from the current working directory ('.') to be loaded, similar to CVE-2016-1238. The vulnerability was discovered in March 2025 and affects the Sub::HandlesVia Perl module. The issue stems from code generated by Mite, which adds the current working directory to the @INC path (NVD).

The vulnerability occurs because Sub::HandlesVia uses Mite to produce code sections, and Mite before version 0.013000 generates code with the current working directory ('.') added to the @INC path. This implementation allows Perl to search for modules in the current directory before looking in other locations. The issue is similar to the previously identified CVE-2016-1238, which highlighted the security risks of having '.' in @INC. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

If an attacker can place a malicious file in the current working directory, it may be loaded instead of the intended file, potentially leading to arbitrary code execution. This creates a significant security risk as malicious code could be executed with the privileges of the running application (NVD).

The vulnerability has been fixed in Sub::HandlesVia version 0.050002. Users should upgrade to this version or later to address the security issue. The fix involves rebuilding the code using Mite version 0.013000, which properly handles the @INC path without including the current working directory (Perl Changes).

The Debian project has acknowledged the vulnerability and is working on backporting fixes to their stable releases. A security update has been proposed for inclusion in the next point release (Debian Release).