CPAN Security Group

A forum for coordinating and help resolving security issues on CPAN. CVE Numbering Authority (CNA) for Perl and CPAN. Subscribe, contribute or join!

News

CPANSec is CNA for Perl and the CPAN ecosystem

February 25, 2025 1 minute read Stig Palmquist & al.

The CPAN Security Group was authorized by the CVE Program as a CVE Numbering Authority (CNA) on Feb 25, 2025. A CNA assigns and manages CVE identifiers for p...

App::cpanminus downloads code using insecure HTTP

August 26, 2024 2 minute read Stig Palmquist

CVE-2024-45321: In its default configuration cpanminus uses insecure HTTP to download and install code from CPAN. This results in a CWE-494 weakness, enablin...

Vulnerable Spreadsheet Parsing modules

February 10, 2024 8 minute read Timothy Legge

Between Dec 2023 and Jan 2024, vulnerabilities in Spreadsheet::ParseExcel and Spreadsheet::ParseXLSX were reported to the CPAN Security Group (CPANSec). This...

Introducing the CPAN Security Group

July 13, 2023 less than 1 minute read Salve J. Nilsen

There’s a new group in the Perl + CPAN communities!