CVE-2025-40911: 
Linux Debian vulnerability analysis and mitigation

Net::CIDR::Set versions 0.10 through 0.13 for Perl contains a vulnerability related to improper handling of leading zero characters in IP CIDR address strings (CVE-2025-40911). The vulnerability was discovered and disclosed in May 2025, affecting the IPv4 address handling functionality in the module. Leading zeros in IP address octets are interpreted as octal numbers, which can lead to confusion between decimal and octal notation (NVD).

The vulnerability stems from the module's inability to properly validate IP addresses with leading zeros in their octets. When an IP address is provided with leading zeros (e.g., '010.0.0.1'), it should be interpreted as an octal number (8.0.0.1) rather than a decimal number (10.0.0.1). This behavior is inherited from the code originally used in Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154. The issue has been assigned CWE-1287 (Improper Validation of Specified Type of Input) (NVD).

The vulnerability could allow attackers to bypass access control that is based on IP addresses. The confusion between octal and decimal notation could lead to misidentification of IP addresses, potentially allowing unauthorized access to protected resources. For example, an attacker could manipulate IP addresses to make a public IP appear as part of a private subnet or vice versa (Blog Post).

The vulnerability has been fixed in Net::CIDR::Set version 0.14. The fix involves adding validation to reject IPv4 addresses with leading zeros in the quads. Users should upgrade to version 0.14 or later to address this security issue. The patch specifically adds a check using the pattern !/^0\d{1,2}$/ to prevent acceptance of octal notation (GitHub Patch).