CVE-2025-40909 Overview
CVE-2025-40909 is a race condition vulnerability in Perl's threading implementation that affects the working directory during thread creation. When a directory handle is open at thread creation time, the process-wide current working directory is temporarily changed to clone that handle for the new thread. This change is visible to any third (or subsequent) threads already running, creating a window where file operations may target unintended paths.
This vulnerability may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit for code execution or unauthorized file access.
Critical Impact
Local attackers can exploit the race condition window to manipulate file operations in multi-threaded Perl applications, potentially leading to untrusted code execution or unauthorized file access.
Affected Products
- Perl versions 5.13.6 and later (introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e)
- Multi-threaded Perl applications using directory handles
- Systems running threaded Perl scripts with open directory handles
Discovery Timeline
- May 30, 2025 - CVE-2025-40909 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-40909
Vulnerability Analysis
This vulnerability is classified under CWE-426 (Untrusted Search Path). The flaw exists in how Perl handles directory handles when creating new threads. During the thread cloning process, Perl temporarily modifies the process-wide current working directory to properly duplicate directory handles for the new thread. This creates a Time-of-Check Time-of-Use (TOCTOU) race condition window.
The vulnerability requires local access and affects multi-threaded Perl applications where directory handles are open during thread creation. An attacker who can influence the timing of file operations in another running thread could potentially redirect file operations to attacker-controlled locations.
Root Cause
The root cause is the temporary modification of the process-wide current working directory during thread creation. When Perl clones a directory handle for a new thread, it changes the working directory at the process level rather than using thread-local operations. This design decision, introduced in Perl 5.13.6 via commit 11a11ecf4bea72b17d250cfb43c897be1341861e, creates a race condition where concurrent threads may observe an unexpected working directory state.
Attack Vector
The attack vector is local, requiring the attacker to have access to the system running the vulnerable Perl application. The attack scenario involves:
- A multi-threaded Perl application with at least three threads
- One thread opens a directory handle
- During thread creation, the process working directory temporarily changes
- A concurrent thread performs file operations during this window
- File operations resolve against the temporary working directory instead of the expected path
This could allow an attacker to trick the application into loading malicious code or accessing sensitive files from unexpected locations, particularly if the attacker can control or predict the temporary directory path.
The vulnerability mechanism involves Perl's internal thread cloning behavior. When a new thread is created with an open directory handle, the runtime temporarily changes the process-wide current working directory to clone that handle. During this brief window, any file operations performed by other running threads will resolve paths relative to the temporary directory rather than the expected working directory. For detailed technical analysis, see the GitHub Issue #23010 and the Openwall OSS-Security Discussion.
Detection Methods for CVE-2025-40909
Indicators of Compromise
- Unexpected file access patterns in Perl application logs showing operations on unintended paths
- Multi-threaded Perl scripts experiencing intermittent file operation failures or accessing wrong files
- Application errors related to missing files or incorrect file content in threaded Perl programs
- Audit logs showing file operations in unexpected directories during high thread creation activity
Detection Strategies
- Monitor for Perl processes with multiple threads that open directory handles during thread creation
- Implement file integrity monitoring on critical directories accessed by Perl applications
- Use strace or similar tools to trace working directory changes (chdir syscalls) in suspicious Perl processes
- Deploy behavioral analysis to detect anomalous file access patterns in multi-threaded Perl applications
Monitoring Recommendations
- Enable detailed audit logging for file system operations by Perl processes
- Monitor thread creation events in production Perl applications using system call tracing
- Set up alerts for unexpected working directory changes in critical Perl services
- Review Perl application logs for path-related errors that may indicate race condition exploitation
How to Mitigate CVE-2025-40909
Immediate Actions Required
- Audit multi-threaded Perl applications for directory handle usage during thread creation
- Avoid opening directory handles before creating threads, or close them prior to thread creation
- Use absolute paths for all file operations in multi-threaded Perl code to avoid working directory dependencies
- Consider migrating critical applications to forking instead of threading where feasible
Patch Information
A patch is available for this vulnerability. The fix is documented in the GitHub Patch for the Perl interpreter. System administrators should update Perl to a patched version when available from their distribution vendor. The Debian Bug Report #1098226 tracks the issue for Debian-based systems.
Workarounds
- Close all directory handles before creating new threads in Perl applications
- Use absolute paths exclusively in multi-threaded Perl code to eliminate working directory dependencies
- Implement application-level locking around file operations when directory handles must remain open during thread creation
- Isolate critical file operations in single-threaded code sections where possible
# Configuration example - Use absolute paths in Perl scripts
# Instead of relative paths, always use fully qualified paths
# Verify Perl version to check if vulnerable (5.13.6 and later)
perl -v | grep version
# Check for open directory handles in running Perl processes
lsof -c perl | grep DIR
# Monitor chdir syscalls to detect race condition exploitation
strace -f -e chdir -p <perl_pid>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
