CVE-2023-31484 Overview
CVE-2023-31484 is a certificate validation bypass vulnerability affecting CPAN.pm before version 2.35. The module fails to verify TLS certificates when downloading Perl distributions over HTTPS connections, creating a significant security gap that could allow attackers to intercept and modify package downloads through man-in-the-middle (MITM) attacks.
Critical Impact
This vulnerability allows attackers to intercept HTTPS connections and serve malicious Perl packages without detection, potentially leading to supply chain compromise across systems using CPAN for package management.
Affected Products
- CPAN.pm Project CPAN.pm (versions before 2.35)
- Perl Perl (systems using vulnerable CPAN.pm versions)
Discovery Timeline
- April 29, 2023 - CVE-2023-31484 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2023-31484
Vulnerability Analysis
The vulnerability exists in CPAN.pm's HTTPS implementation, which does not properly validate TLS certificates when establishing secure connections to download Perl distributions. This improper certificate validation (CWE-295) means that even when using HTTPS URLs, the connection provides no actual protection against interception.
When CPAN.pm initiates a download over HTTPS, it should verify that the server's TLS certificate is valid, properly signed by a trusted certificate authority, and matches the requested hostname. However, versions prior to 2.35 skip this verification entirely, accepting any certificate presented by the server—including self-signed, expired, or certificates issued for different domains.
This vulnerability is particularly dangerous in the context of package management systems, as it undermines the fundamental trust model of software distribution. An attacker who can position themselves in the network path between a user and a CPAN mirror can serve arbitrary Perl code that will be executed during module installation.
Root Cause
The root cause is the absence of TLS certificate verification in CPAN.pm's HTTP client implementation. The module relies on underlying HTTP libraries that may not enable certificate verification by default, and CPAN.pm did not explicitly configure or enforce certificate validation. This is part of a broader issue documented in the Hackeriet Blog on Insecure TLS affecting multiple Perl HTTP modules that default to insecure TLS settings.
Attack Vector
The attack requires network-level positioning to intercept traffic between the victim and CPAN mirrors. Attackers can exploit this through:
Compromised Network Infrastructure - An attacker controlling routers, DNS servers, or other network infrastructure can redirect CPAN traffic to malicious servers.
Public Wi-Fi/Shared Networks - ARP spoofing or similar techniques on local networks allow traffic interception.
DNS Hijacking - Redirecting CPAN mirror domain resolution to attacker-controlled servers.
When a victim runs cpan install SomeModule or uses automated deployment scripts that fetch modules, the attacker intercepts the HTTPS request. Because certificate validation is absent, the attacker presents their own certificate and serves a modified tarball containing malicious code. The victim's system installs the trojanized module without any warning.
Detection Methods for CVE-2023-31484
Indicators of Compromise
- Unexpected network connections to unknown IP addresses during CPAN module installations
- Modified or unfamiliar code in installed Perl modules compared to official CPAN sources
- Unusual system behavior or processes spawned after recent CPAN installations
- Certificate warnings or errors that were previously ignored in logs
Detection Strategies
- Monitor CPAN installation logs for connections to unexpected hosts or IP addresses
- Implement network monitoring to detect potential MITM attacks targeting package downloads
- Compare checksums of installed modules against official CPAN distribution checksums
- Deploy IDS/IPS rules to detect anomalous TLS handshake patterns
Monitoring Recommendations
- Enable verbose logging for CPAN operations to capture connection details
- Monitor for changes to installed Perl modules using file integrity monitoring (FIM)
- Set up alerts for CPAN installations occurring outside of approved change windows
- Review network traffic patterns during automated deployment processes
How to Mitigate CVE-2023-31484
Immediate Actions Required
- Upgrade CPAN.pm to version 2.35 or later immediately across all systems
- Audit recently installed Perl modules for signs of tampering
- Review deployment scripts and automation that may use vulnerable CPAN.pm versions
- Consider temporarily restricting CPAN installations to verified local mirrors
Patch Information
The fix was implemented in CPAN.pm version 2.35, which properly enforces TLS certificate verification for HTTPS connections. The GitHub CPAN Pull Request contains the technical implementation details. Linux distributions have released updates:
- Fedora: Security updates available via the Fedora Package Announcement
- Debian: Updates documented in the Debian LTS Announcement
- NetApp Products: Refer to the NetApp Security Advisory NTAP-20240621-0007
Full changelog available at MetaCPAN CPAN Changes.
Workarounds
- Configure CPAN to use a local, verified mirror instead of public mirrors
- Use system package managers (apt, yum) for Perl modules where possible, as they typically verify signatures
- Implement network-level controls to ensure CPAN traffic only reaches verified mirrors
- Manually verify checksums of downloaded distributions before installation
# Upgrade CPAN.pm to patched version
cpan CPAN
# Verify current CPAN.pm version
perl -MCPAN -e 'print $CPAN::VERSION'
# Configure CPAN to use a specific trusted mirror
cpan
o conf urllist http://your-trusted-mirror.example.com/CPAN/
o conf commit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
