CPAN Security Group
Welcome to the CPAN Security Group. This is a community effort for supporting and responding to security incidents on CPAN β the Comprehensive Perl Archive Network.
This group also cares about security-related topics around CPAN distributions, the CPAN/PAUSE infrastructure, and about tooling and the ecosystem in general. Over time, we aim to improve supply chain security, make CPAN a more secure and trustworthy publishing platform, and more.
Learn more & Contribute
On CPAN, improving security is a volunteer-driven collaborative effort. If you care and would like to make a contribution, you canβ¦
- Explore our main website
- Check us out on Github
- Join us in our Matrix channel, #cpansec-discussion on matrix.org
- Join us in our IRC channel, #cpan-security on irc.perl.org
- Send an e-mail to the CPAN Security Group <cpan-security@security.metacpan.org> π§
- Subscribe to @cpansec@fosstodon.org on the Fediverse π
Resources
- Security and incident policies
- How to Report a Security Issue
- The CPANSec CNA Disclosure Policy
- The CPANSec Contributor Pre-Release Disclosure Agreement
- Important Documents and other relevant resources
- Group charter β οΈ DRAFT
- Standards and regulations reading list β οΈ DRAFT
- Guides
- Consultations
- Projects overview on Github
- Meetings information and minutes
- Presentations about us and our work
CPANSec News
CPANSec retrospective 2024
Here is the CPANSec 2024 Retrospective
CPANSec is CNA for Perl and the CPAN ecosystem
The CPAN Security Group was authorized by the CVE Program as a CVE Numbering Authority (CNA) on Feb 25, 2025. A CNA assigns and manages CVE identifiers for projects in their scope.
Add a security policy to your distributions
Adding a SECURITY or SECURITY.md file to your Perl distributions will let people know how to contact the maintainers if they find a security issue with your software...
CPAN Author's Guide to Random Data for Security
Any secret token that allows someone to access a resource or perform an action should be generated with a secure random number generator...
Please keep your information up-to-date
Some end of year reminders for CPAN Authors: Do all of your modules have up-to-date contact information?
App::cpanminus through 1.7047 downloads code using insecure HTTP
CVE-2024-45321: In its default configuration cpanminus uses insecure HTTP to download and install code from CPAN. This results in a CWE-494 weakness, enabling code execution for network attackers.
Vulnerable Spreadsheet Parsing modules
Between Dec 2023 and Jan 2024, vulnerabilities in Spreadsheet::ParseExcel and Spreadsheet::ParseXLSX were reported to the CPAN Security Group (CPANSec). This document describes the timeline and analysis of events.
Introducing the CPAN Security Group
There's a new group in the Perl + CPAN communities!
subscribe via RSS