Perl Library Security Advisory — June 2026
2 CVEs | OS Command Injection & File Overwrite | Config::IniFiles & GD
Both vulnerabilities stem from unsafe use of Perl’s 2-argument open() with user-controlled filenames. Affected versions: Config::IniFiles < 3.001000 and GD < 2.86.
Two widely deployed Perl libraries — Config::IniFiles and GD — have published security fixes for operating system command injection vulnerabilities. Both flaws share a common root cause: the use of Perl’s 2-argument open() function with filenames supplied by the caller. When the filename begins or ends with a pipe character (|), Perl interprets it as a shell command rather than a file path, allowing an attacker who controls the filename parameter to execute arbitrary OS commands or overwrite arbitrary files. This is a well-understood anti-pattern in Perl (Perl::Critic policy InputOutput::ProhibitTwoArgOpen flags it), yet it persists in older library versions that remain in widespread use across CPAN-dependent projects, legacy Perl applications, and Linux distribution packages.
The Common Vulnerability Pattern: 2-Argument open()
Perl’s open() function accepts two calling conventions:
- 2-argument open:
open(FH, $filename)— Perl inspects$filenamefor special characters. If the string starts or ends with|, it is executed as a shell command. If it starts with>or>>, it opens for writing or appending. This “magic” behaviour is the root of the vulnerability. - 3-argument open:
open(FH, '<', $filename)— The mode is explicit. Perl treats$filenameliterally as a filename regardless of its contents. No command execution occurs.
The fix in both libraries is to replace all 2-argument open() calls with 3-argument equivalents, removing the shell interpretation path entirely. Additionally, both libraries have added input validation to reject filenames containing shell metacharacters as a defense-in-depth measure.
CVE-2026-11527 — Config::IniFiles OS Command Injection via -file Argument
Severity: High
Component: Config::IniFiles (CPAN module)
Affected versions: All versions prior to 3.001000
Attack vector: Local / application-level, via user-supplied filename
Config::IniFiles is one of the most popular Perl modules for reading and writing Windows-style .ini configuration files. It is a dependency of hundreds of CPAN distributions and is bundled in most major Linux distributions. The vulnerability exists in how the module handles the -file parameter passed to its constructor and various file-reading methods.
When an application uses Config::IniFiles with a filename derived from user input — for example, a web application that allows users to upload or specify an INI file path, or a script that accepts a configuration file path from command-line arguments or environment variables — an attacker can supply a filename prefixed with a pipe character to execute arbitrary shell commands with the privileges of the Perl process. Alternatively, a filename starting with a redirection character can overwrite arbitrary files on the system.
The issue was resolved in version 3.001000 by migrating all open() calls to the 3-argument form and adding explicit filename validation.
CVE-2026-11526 — GD OS Command Injection via Filename Parameters
Severity: High
Component: GD (CPAN module, Perl interface to libgd)
Affected versions: All versions prior to 2.86
Attack vector: Local / application-level, via user-supplied filename
GD is the primary Perl interface to the libgd graphics library, providing image creation and manipulation capabilities. It is used extensively in web applications for generating charts, CAPTCHAs, thumbnails, and dynamic image content. The GD module is a core dependency for many Perl-based web frameworks and CMS platforms.
The vulnerability manifests in multiple GD methods that accept filenames for image output operations, including png(), jpeg(), gif(), wbmp(), and related file-writing functions. When a calling application passes a user-influenced filename to any of these methods, the underlying 2-argument open() interprets shell metacharacters in the filename.
In a typical web application scenario, a user might be able to influence the output filename through a Content-Disposition header, a URL parameter specifying a download name, or a form field for export file naming. An attacker can craft a filename containing shell metacharacters that the GD module will interpret and execute when opening the file for writing. Similarly, a filename prefixed with a redirection operator can overwrite critical system or application files.
The fix in GD 2.86 replaces all 2-argument open() invocations with 3-argument equivalents and adds sanitisation to strip or reject shell metacharacters from filename inputs.
Affected Versions (Consolidated)
| Library | CVE | Affected Versions | Fixed Version |
|---|---|---|---|
| Config::IniFiles | CVE-2026-11527 | < 3.001000 | 3.001000+ |
| GD | CVE-2026-11526 | < 2.86 | 2.86+ |
Fix (Consolidated)
Both vulnerabilities are resolved by upgrading to the latest versions of the affected libraries:
- Config::IniFiles: Upgrade to version 3.001000 or later via CPAN:
cpan install Config::IniFilesorcpanm Config::IniFiles - GD: Upgrade to version 2.86 or later via CPAN:
cpan install GDorcpanm GD. Note that GD requires the libgd C library; ensure your system’slibgd-dev(or equivalent) package is current.
For projects using a cpanfile:
requires 'Config::IniFiles', '>= 3.001000'; requires 'GD', '>= 2.86';
For Linux distribution packages, check your vendor’s security advisory channels. The following distributions have published or are expected to publish updated packages:
- Debian / Ubuntu:
apt update && apt upgrade libconfig-inifiles-perl libgd-perl - Red Hat / Fedora:
dnf update perl-Config-IniFiles perl-GD - Alpine:
apk upgrade perl-config-inifiles perl-gd
Recommendations for Perl Shops
- Upgrade immediately. Both Config::IniFiles and GD are present in most Perl deployments. Upgrade to Config::IniFiles 3.001000+ and GD 2.86+ across all environments — development, staging, CI/CD runners, and production. The OS command injection vector is reliably exploitable wherever user input reaches a filename parameter.
- Audit your dependency tree for 2-argument open(). These two CVEs are almost certainly not the only instances of this pattern in your Perl codebase or dependency chain. Run Perl::Critic with the
InputOutput::ProhibitTwoArgOpenpolicy across your entire project, including vendored and local::lib modules. Prioritise any hits in code paths that handle user-supplied filenames. - Grep for shell metacharacters in filename inputs. As a quick operational check, search your application logs and codebase for filename parameters containing pipe, redirection, or semicolon characters. Any such occurrences in production logs may indicate active or attempted exploitation.
- Validate filenames at the application boundary. Even with the library fixes in place, apply defense-in-depth by validating and sanitising all filename inputs before they reach library calls. Reject filenames containing shell metacharacters, newlines, or null bytes. Prefer allow-lists (e.g., alphanumeric, dot, dash, underscore) over deny-lists where feasible.
- Use 3-argument open() in your own code. If you maintain Perl code that calls
open()with variable filenames, migrate to the 3-argument form. This is a trivial one-line change in most cases:open(FH, $file)becomesopen(FH, '<', $file). For output:open(FH, ">$file")becomesopen(FH, '>', $file). - Review CPAN module versions across your infrastructure. Perl applications in containers, legacy servers, and shared hosting environments often run older CPAN module versions that are not regularly updated. Inventory your installed modules (
cpan -lorperl -MConfig::IniFiles -e 'print $Config::IniFiles::VERSION') and compare against the fixed versions above. Automate this check in your CI pipeline to catch regressions. - Monitor for exploitation attempts. Watch for unusual shell command execution patterns from Perl processes, unexpected file creation in sensitive directories, and network connections originating from your Perl application to unfamiliar external hosts. These may indicate successful exploitation of 2-argument open() vulnerabilities.
- Consider the broader CPAN ecosystem. The 2-argument open() pattern has been a known anti-pattern in Perl for over two decades. If Config::IniFiles and GD — two of the most prominent and well-maintained CPAN modules — contained this flaw until mid-2026, it is highly likely that less prominent modules in your dependency tree have similar issues. Budget time for a systematic audit of your CPAN dependency surface.
References
- NVD: CVE-2026-11527 — Config::IniFiles
- NVD: CVE-2026-11526 — GD
- MetaCPAN: Config::IniFiles
- MetaCPAN: GD
- Perl::Critic: ProhibitTwoArgOpen Policy
- Perl Documentation: open()
Series Disclaimer: This advisory is part of Threat Modeling’s ongoing vulnerability intelligence series. CVE information is sourced from public NVD listings and vendor advisories. Always consult official vendor bulletins and perform your own risk assessment before applying patches to production systems.
