CPANSec is CNA for Perl and the CPAN ecosystem
The CPAN Security Group was authorized by the CVE Program as a CVE Numbering Authority (CNA) on Feb 25, 2025. A CNA assigns and manages CVE identifiers for p...
CPAN Security Group
Welcome to the CPAN Security Group. This is a community effort for supporting and responding to security incidents on CPAN β the Comprehensive Perl Archive Network.
This group also cares about security-related topics around CPAN distributions, the CPAN/PAUSE infrastructure, and about tooling and the ecosystem in general. Over time, we aim to improve supply chain security, make CPAN a more secure and trustworthy publishing platform, and more.
CPANSec is the CVE Numbering Authority (CNA) for CPAN and Perl.
Learn more & Contribute
On CPAN, improving security is a volunteer-driven collaborative effort. If you care and would like to make a contribution, you canβ¦
- Explore our main website
- Check us out on Github
- Join us in our Matrix channel, #cpansec-discussion on matrix.org
- Join us in our IRC channel, #cpan-security on irc.perl.org
- Send an e-mail to the CPAN Security Group <cpan-security@security.metacpan.org> π§
- Subscribe to @cpansec@fosstodon.org on the Fediverse π
Resources
- Security and incident policies
- How to Report a Security Issue
- The CPANSec CNA Disclosure Policy
- The CPANSec Contributor Pre-Release Disclosure Agreement
- Important Documents and other relevant resources
- Group charter β οΈ DRAFT
- Standards and regulations reading list β οΈ DRAFT
- Guides
- Consultations
- Projects overview on Github
- Meetings information and minutes
- Presentations about us and our work
Recent news
App::cpanminus downloads code using insecure HTTP
CVE-2024-45321: In its default configuration cpanminus uses insecure HTTP to download and install code from CPAN. This results in a CWE-494 weakness, enablin...
Vulnerable Spreadsheet Parsing modules
Between Dec 2023 and Jan 2024, vulnerabilities in Spreadsheet::ParseExcel and Spreadsheet::ParseXLSX were reported to the CPAN Security Group (CPANSec). This...
Introducing the CPAN Security Group
Thereβs a new group in the Perl + CPAN communities!
Recent blog posts
Are you still using the 2-argument open?
The 2-argument open function is insecure
CPANSec retrospective 2024
Here is the CPANSec 2024 Retrospective
Add a security policy to your distributions
Adding a SECURITY or SECURITY.md file to your Perl distributions will let people know how to contact the maintainers if they find a security issue with your ...
CPAN Authorβs Guide to Random Data for Security
Any secret token that allows someone to access a resource or perform an action should be generated with a secure random number generatorβ¦