CPAN Security Group

Welcome to the CPAN Security Group. This is a community effort for supporting and responding to security incidents on CPAN – the Comprehensive Perl Archive Network.

This group also cares about security-related topics around CPAN distributions, the CPAN/PAUSE infrastructure, and about tooling and the ecosystem in general. Over time, we aim to improve supply chain security, make CPAN a more secure and trustworthy publishing platform, and more.

CPANSec is the CVE Numbering Authority (CNA) for CPAN and Perl.

Learn more & Contribute

On CPAN, improving security is a volunteer-driven collaborative effort. If you care and would like to make a contribution, you can…

Resources

Recent news

CPANSec is CNA for Perl and the CPAN ecosystem

1 minute read & al.

The CPAN Security Group was authorized by the CVE Program as a CVE Numbering Authority (CNA) on Feb 25, 2025. A CNA assigns and manages CVE identifiers for p...

App::cpanminus downloads code using insecure HTTP

2 minute read

CVE-2024-45321: In its default configuration cpanminus uses insecure HTTP to download and install code from CPAN. This results in a CWE-494 weakness, enablin...

Vulnerable Spreadsheet Parsing modules

8 minute read

Between Dec 2023 and Jan 2024, vulnerabilities in Spreadsheet::ParseExcel and Spreadsheet::ParseXLSX were reported to the CPAN Security Group (CPANSec). This...

Recent blog posts

Add a security policy to your distributions

1 minute read

Adding a SECURITY or SECURITY.md file to your Perl distributions will let people know how to contact the maintainers if they find a security issue with your ...

More…