Critical Vulnerability in Perl Installer Enables Traffic Interception

A critical vulnerability in App::cpanminus (cpanm), a popular tool for installing Perl modules, has been identified. Known as CVE-2024-45321, it allows attackers to intercept and manipulate traffic during module installation, posing significant cyber risks.

CVE-2024-45321

App::cpanminus, known for its lightweight and efficient handling of Perl module installations, is configured by default to use HTTP rather than the more secure HTTPS protocol. This configuration results in a CWE-494 vulnerability, where code is downloaded without an integrity check, making it vulnerable to network attacks.

Since HTTP communications lack encryption, attackers could intercept and modify the data being transmitted, leading to the execution of arbitrary code. This poses a significant security risk for users who rely on cpanminus for installing Perl modules, as it leaves them exposed to potential cyber threats.

Mitigations

No official patch for cpanminus is available yet, but users can take several steps to protect their systems:

Option 1: Use an HTTPS Mirror

Users can configure cpanminus to use a secure HTTPS mirror by adding the --from argument:

$ cpanm --from https://www.cpan.org DISTNAME

To ensure all installations use HTTPS, set the PERL_CPANM_OPT environment variable:

$ export PERL_CPANM_OPT="--from https://www.cpan.org"

Note that this option will disable downloading older releases from BackPan and development (TRIAL) releases.

Option 2: Patch the cpanm Executable

To keep support for BackPan and TRIAL releases, users can patch the cpanm executable with this Perl command:

$ perl -pi -E 's{http://(www\.cpan\.org|backpan\.perl\.org|cpan\.metacpan\.org|fastapi\.metacpan\.org|cp

Option 3: Switch to a Secure Client

Users can switch to alternative clients like CPAN.pm (version 2.35 or later) or App::cpm, which default to HTTPS for secure module installations.

The Perl community is actively discussing solutions on platforms like GitHub to make cpanminus secure by default and prevent future vulnerabilities.

This issue underscores the importance of secure communication in software installations, and users are encouraged to implement these mitigations promptly to protect their systems.