Perl's Net::CIDR before 0.24 mishandles leading zeros in IP addresses

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

Perl's Net::CIDR before 0.24 mishandles leading zeros in IP addresses

CVE-2021-4456

Summary

If you use Net::CIDR in Perl, make sure you're running version 0.24 or later. This update fixes a potential security issue that can let attackers bypass access controls using IP addresses. To stay safe, use the `cidrvalidate` function to check your input, or update to the latest version.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
mrsam	net\	\	–

Original title

Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CI...

Original description

Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact.

The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses.

The documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. However, this mitigation is optional and not enforced by default. In practice, users may call `addr2cidr` or `cidrlookup` with untrusted input and without validation, incorrectly assuming that this is safe.

nvd CVSS3.1 6.5

Vulnerability type

CWE-704

https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ Third Party Advisory
https://github.com/svarshavchik/Net-CIDR/commit/e3648c6bc6bdd018f90cca4149c46701... Patch
https://metacpan.org/dist/Net-CIDR/changes Release Notes

Published: 27 Feb 2026 · Updated: 14 Mar 2026 · First seen: 6 Mar 2026