CPAN Security Group

Welcome to the CPAN Security Group. This is a community effort for supporting and responding to security incidents on CPAN – the Comprehensive Perl Archive Network.

This group also cares about security-related topics around CPAN distributions, the CPAN/PAUSE infrastructure, and about tooling and the ecosystem in general. Over time, we aim to improve supply chain security, make CPAN a more secure and trustworthy publishing platform, and more.

Learn more & Contribute

On CPAN, improving security is a volunteer-driven collaborative effort. If you care and would like to make a contribution, you can…

• Explore our main website
• Check us out on Github
• Join us in our Matrix channel, #cpansec-discussion on matrix.org
• Join us in our IRC channel, #cpan-security on irc.perl.org
• Send an e-mail to the CPAN Security Group <cpan-security@security.metacpan.org> 📧
• Subscribe to @cpansec@fosstodon.org on the Fediverse 🐘

Resources

• Security and incident policies
  • How to Report a Security Issue
  • The CPANSec CNA Disclosure Policy
  • The CPANSec Contributor Pre-Release Disclosure Agreement
• Important Documents and other relevant resources
  • Group charter ⚠️ DRAFT
  • Standards and regulations reading list ⚠️ DRAFT
  • Guides
  • Consultations
• Projects overview on Github
• Meetings information and minutes
• Presentations about us and our work

CPANSec News

• Mar 12, 2025

  CPANSec retrospective 2024

  Here is the CPANSec 2024 Retrospective

• Feb 25, 2025

  CPANSec is CNA for Perl and the CPAN ecosystem

  The CPAN Security Group was authorized by the CVE Program as a CVE Numbering Authority (CNA) on Feb 25, 2025. A CNA assigns and manages CVE identifiers for projects in their scope.

• Jan 5, 2025

  Add a security policy to your distributions

  Adding a SECURITY or SECURITY.md file to your Perl distributions will let people know how to contact the maintainers if they find a security issue with your software...

• Jan 3, 2025

  CPAN Author's Guide to Random Data for Security

  Any secret token that allows someone to access a resource or perform an action should be generated with a secure random number generator...

• Dec 31, 2024

  Please keep your information up-to-date

  Some end of year reminders for CPAN Authors: Do all of your modules have up-to-date contact information?

• Aug 26, 2024

  App::cpanminus through 1.7047 downloads code using insecure HTTP

  CVE-2024-45321: In its default configuration cpanminus uses insecure HTTP to download and install code from CPAN. This results in a CWE-494 weakness, enabling code execution for network attackers.

• Feb 10, 2024

  Vulnerable Spreadsheet Parsing modules

  Between Dec 2023 and Jan 2024, vulnerabilities in Spreadsheet::ParseExcel and Spreadsheet::ParseXLSX were reported to the CPAN Security Group (CPANSec). This document describes the timeline and analysis of events.

• Jul 13, 2023

  Introducing the CPAN Security Group

  There's a new group in the Perl + CPAN communities!

subscribe via RSS