CVE-2026-48962 Overview
CVE-2026-48962 affects IO::Compress versions before 2.220 for Perl. The flaw allows attackers to execute arbitrary Perl code through the File::GlobMapper module when an output glob string is attacker-controlled. The _parseOutputGlob() function wraps the caller-supplied string in double quotes and stores it in parser state. The _getFiles() function then evaluates the stored expression through eval STRING. A literal double quote in the output glob closes the wrapper, and subsequent characters execute as Perl code at the calling process's privilege level. This is classified as Improper Neutralization of Directives in Dynamically Evaluated Code, also known as Eval Injection [CWE-95].
Critical Impact
Attackers controlling the output glob parameter can execute arbitrary Perl code with the privileges of the process invoking IO::Compress, leading to code execution and potential system compromise.
Affected Products
- IO::Compress for Perl versions prior to 2.220
- File::GlobMapper module bundled with IO::Compress
- Perl applications calling globmap() with untrusted output glob input
Discovery Timeline
- 2026-05-27 - CVE-2026-48962 published to NVD
- 2026-05-27 - Public disclosure on Openwall OSS-Security mailing list
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-48962
Vulnerability Analysis
The vulnerability is an Eval Injection flaw inside the File::GlobMapper Perl module. The globmap() interface accepts an input glob and an output glob, then expands them to map source filenames to destination filenames. During parsing, _parseOutputGlob() constructs a Perl expression string that interpolates the user-supplied output glob inside double quotes. The string is stored in the parser state. Later, _getFiles() calls eval STRING on that constructed expression to perform variable interpolation. Because the user-supplied output glob is concatenated unescaped into a double-quoted string passed to eval, an attacker who injects a literal double quote can terminate the string context. Any Perl code that follows is then parsed and executed by the interpreter.
Root Cause
The root cause is the use of Perl's string-form eval to perform what should be straightforward string substitution. The parser trusts the contents of the output glob and does not escape characters that have meaning inside double-quoted strings or inside the Perl source feed to eval. Quote characters, backslashes, sigils, and command interpolation constructs all pass through unfiltered.
Attack Vector
Any Perl program that passes attacker-influenced data as the output glob to IO::Compress routines or directly to File::GlobMapper::globmap() is exposed. The injected payload runs with the privileges of the calling process. Common exposure patterns include web handlers, file processing pipelines, and command-line tools that derive output paths from request parameters, configuration files, or untrusted archives.
// Security patch in lib/File/GlobMapper.pm - remove use of eval in globmapper. #73
$VERSION = '1.001';
@EXPORT_OK = qw( globmap );
+our $BEGIN_DELIM = "\\xFF";
+our $END_DELIM = "\\xFE";
+our $BACKSLASH_ESC = "\\xFD";
+our $HASH_ESC = "\\xFC";
+our $STAR_ESC = "\\xFB";
our ($noPreBS, $metachars, $matchMetaRE, %mapping, %wildCount);
$noPreBS = '(?<!\\\)' ; # no preceding backslash
Source: GitHub Commit Patch
The patch introduces sentinel byte delimiters and replaces the eval STRING parsing flow with explicit, non-evaluated substitution, removing the injection sink entirely.
Detection Methods for CVE-2026-48962
Indicators of Compromise
- Unexpected child processes spawned by Perl interpreters that load IO::Compress or File::GlobMapper
- Outbound network connections originating from Perl-based file archiving or processing services
- Presence of double-quote characters or Perl sigils ($, @, backticks) inside file path or archive output parameters in application logs
- Modifications to user-writable directories immediately following calls to globmap() or IO::Compress constructors
Detection Strategies
- Audit Perl dependency manifests for IO-Compress versions earlier than 2.220 across servers and developer workstations
- Instrument application logs to record output glob arguments passed into archiving routines and alert on metacharacter patterns
- Apply runtime endpoint monitoring rules that flag perl processes spawning shells, network utilities, or interpreters such as sh, bash, curl, or wget
Monitoring Recommendations
- Track CPAN module inventory and compare installed versions against the fixed 2.220 baseline
- Monitor process execution telemetry for parent-child relationships rooted at Perl scripts that handle untrusted archives
- Forward Perl application logs containing file mapping operations to a centralized analytics platform for anomaly review
How to Mitigate CVE-2026-48962
Immediate Actions Required
- Upgrade IO::Compress to version 2.220 or later on all systems where the module is installed
- Identify Perl applications that invoke File::GlobMapper::globmap() and review whether output glob arguments come from untrusted sources
- Restrict privileges of services that run Perl archiving code so that successful exploitation yields the minimum possible access
Patch Information
The fix is committed in IO::Compress 2.220. The maintainer removed the eval STRING call inside File::GlobMapper and replaced it with sentinel-delimited substitution. Review the GitHub Commit Patch and the MetaCPAN Release Changes for full details. Background discussion is available on the Openwall OSS-Security Discussion.
Workarounds
- Sanitize output glob inputs by rejecting strings containing double quotes, backslashes, sigils, and backticks before passing them to globmap()
- Wrap calls to IO::Compress and File::GlobMapper so that output paths are constructed by trusted code rather than supplied by callers
- Run Perl services under dedicated low-privilege accounts to limit the blast radius of successful eval injection
# Upgrade IO-Compress via cpanm to the patched release
cpanm IO::Compress@2.220
# Verify the installed version
perl -MIO::Compress::Base -e 'print "$IO::Compress::Base::VERSION\n"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
