CVE-2025-40911: 
Linux Debian vulnerability analysis and mitigation

Net::CIDR::Set versions 0.10 through 0.13 for Perl contains a vulnerability (CVE-2025-40911) related to improper handling of leading zero characters in IP CIDR address strings. The vulnerability was discovered and disclosed in May 2025. The issue affects the IP address validation functionality, where leading zeros in IP address octets are not properly handled, which could allow attackers to bypass access control mechanisms (NVD, Wiz).

The vulnerability stems from the module's inability to properly validate IP addresses with leading zeros in their octets. When an IP address is provided with leading zeros (e.g., '010.0.0.1'), it should be interpreted as an octal number (8.0.0.1) rather than a decimal number (10.0.0.1). This behavior was inherited from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154. The issue has been assigned CWE-1287 (Improper Validation of Specified Type of Input) and has received a CVSS v3.1 base score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD, Blog Post).

The vulnerability could allow attackers to bypass access control that is based on IP addresses. The confusion between octal and decimal notation could lead to misidentification of IP addresses, potentially allowing unauthorized access to protected resources. For example, an attacker could manipulate IP addresses to make a public IP appear as part of a private subnet or vice versa (Blog Post).

The vulnerability has been fixed in Net::CIDR::Set version 0.14. The fix involves adding validation to reject IPv4 addresses with leading zeros in the quads. Users should upgrade to version 0.14 or later to address this security issue. The patch specifically adds a check using the pattern !/^0\d{1,2}$/ to prevent acceptance of octal notation (GitHub Patch, Changes File).