What is GHSA-hcq9-8v5x-mqjp?

GHSA-hcq9-8v5x-mqjp is a security advisory published by GitHub Security Advisories with Medium severity. IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing...

Which CVE IDs does GHSA-hcq9-8v5x-mqjp cover?

GHSA-hcq9-8v5x-mqjp covers the following CVE IDs: CVE-2025-15649. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-hcq9-8v5x-mqjp?

GHSA-hcq9-8v5x-mqjp has a CVSS v3 base score of 5.5, published by GitHub Security Advisories.

GHSA-hcq9-8v5x-mqjpMediumCVSS 5.5

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing...

Vendor

GitHub Security Advisories

Published

May 27, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2025-15649 →

📋 Description

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date.

_dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die.

The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2025-15649
https://github.com/pmqs/IO-Compress/issues/65
https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch
https://metacpan.org/release/PMQS/IO-Compress-2.215/changes
http://www.openwall.com/lists/oss-security/2026/05/27/1
https://github.com/advisories/GHSA-hcq9-8v5x-mqjp