perl: Perl directory handle race condition (CVE-2025-40909) #shorts
Summary
CVE-2025-40909 is a local privilege vulnerability in Perl threads where a race condition during thread creation can cause the process-wide current working directory to change unexpectedly. This may allow a local attacker to trick other threads into loading code or accessing files from unintended locations. The issue affects Perl versions from 5.13.6 up to, but not including, 5.41.13.
Product details
The flaw was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and first appeared in Perl 5.13.6. Distributions issuing security updates include Fedora 42, Oracle Linux 8, and Ubuntu 25.04. Users running any Perl version older than 5.41.13 should apply the vendor patches or upgrade to a fixed release immediately.
Vulnerability type summary
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) – threads share and clone directory handles without proper synchronization. CWE-426: Untrusted Search Path – temporarily changing the working directory can lead to loading code from attacker-controlled paths.
Details of the vulnerability
When a thread is created with an open directory handle, Perl temporarily changes the process-wide current working directory to clone that handle. If two or more threads are already running, they may see and act upon the swapped working directory. A local attacker with the ability to open a directory handle can exploit this window to instruct other threads to read or execute files from malicious or unintended paths, potentially leading to code injection or unauthorized file access.
Conclusion
CVE-2025-40909 is a serious race‐condition issue in multi‐threaded Perl applications. Administrators and developers should upgrade to Perl 5.41.13 or later, or apply the available security updates from their distribution vendors. As a mitigation, avoid running untrusted code in the same process and use strict directory and file permissions to limit the attack surface.
Watch the full video on YouTube: CVE-2025-40909
Remediation and exploitation details
This chain involves the following actors
- Local attacker: Exploits the directory handle race condition to hijack file operations
This following systems are involved
- Multithreaded Perl application (Performs concurrent file operations in multiple threads): Victim of the working-directory switch race
Attack entry point
- Directory handle clone during thread creation: Opening a directory handle before spawning a new thread triggers a process-wide working directory change visible to other threads
Remediation actions
Exploitation actions
Prepare a handle to clone
- opendir(my $dh, ".");
Trigger process-wide working directory switch to clone the handle
- threads->create(sub { /* thread body */ });
Race where current working directory is unexpectedly changed
- open(my $fh, '<', 'sensitive.conf');
Exploit unintended cwd switch to pull in malicious modules or write data
- require '/tmp/evil.pm';
- open(my $out, '>', 'evil.log') and print $out 'compromised';
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch
- https://www.openwall.com/lists/oss-security/2025/05/22/2
- https://github.com/Perl/perl5/issues/23010
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226
- https://github.com/Perl/perl5/issues/10387
- https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads
- https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e
- [2025-07-12] Fedora 42 releases a critical security update for Perl to fix CVE-2025-40909, addressing directory handling vulnerabilities.
- [2025-07-29] Ubuntu 25.04 has a critical Perl file access issue that could lead to unintended file operations.
- [2025-07-29] Oracle Linux 8 security update for Perl vulnerability CVE-2025-40909.