PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-15649 PMQS CVE debrief

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. The _dosToUnixTime() function decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

Vendor
PMQS
Product
IO::Uncompress::Unzip
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Perl applications that process untrusted ZIP files using IO::Uncompress::Unzip, particularly web applications, email gateways, content management systems, and automated processing pipelines that rely on the module's documented error handling behavior. Developers maintaining legacy Perl codebases with ZIP processing capabilities should prioritize this update.

Technical summary

The vulnerability stems from missing exception handling around Time::Local::timelocal() in the _dosToUnixTime() helper function. ZIP local file headers store modification timestamps in DOS format (16-bit date and time fields). When these fields contain invalid values (e.g., month 15, day 45), the resulting parameters passed to timelocal() fall outside valid ranges, causing it to die(). The function lacks an eval guard, so this exception propagates upward through IO::Uncompress::Unzip->new(), breaking the module's documented error handling contract which promises to return undef and set $UnzipError on failure. Version 2.215 addresses this by wrapping the timelocal() call in eval and handling out-of-range dates appropriately.

Defensive priority

medium

Recommended defensive actions

  • Upgrade IO::Compress to version 2.215 or later to obtain the patched _dosToUnixTime() implementation
  • If immediate patching is not possible, wrap IO::Uncompress::Unzip->new() calls in eval blocks to catch unexpected exceptions and handle them as parsing failures
  • Validate ZIP files from untrusted sources before processing with IO::Uncompress::Unzip
  • Monitor application logs for unexpected die() exceptions originating from IO::Uncompress::Unzip operations
  • Review code that processes user-supplied ZIP archives to ensure proper exception handling exists around decompression operations

Evidence notes

The vulnerability exists in the _dosToUnixTime() function within IO::Uncompress::Unzip. When parsing a ZIP file's local file header, the function extracts DOS date/time fields and passes them to Time::Local::timelocal() without exception handling. Malformed headers with invalid date components (month > 12, day > 31, hour > 23, etc.) cause timelocal() to throw an exception that propagates uncaught rather than being converted to the expected error return pattern. The fix in version 2.215 wraps the timelocal() call in an eval block to catch and handle out-of-range date values gracefully.

Official resources

2026-05-27