CVE-2025-40910
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
The vulnerability in Net::IP::LPM version 1.10 for Perl improperly handles leading zero characters in IP CIDR address strings, which could allow attackers to bypass IP-based access controls. Leading zeros are interpreted as octal notation, potentially confusing users.
Risk Assessment
The organization may face access control bypass if systems rely on IP address matching against allow/deny lists and an attacker uses an IP address with leading zeros.
Recommendation
Update the Net::IP::LPM library to the latest version that correctly handles leading zeros, or implement additional IP address validation before processing.
Original NVD description (English source)
Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation.

