CVE-2025-40909 in Perl
Summary
by MITRE • 05/30/2025
Perl threads have a working directory race condition where file operations may target unintended paths.
If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running.
This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit.
The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/02/2025
The vulnerability described in CVE-2025-40909 represents a critical race condition within Perl's threading implementation that fundamentally compromises the security of file operations across concurrent execution contexts. This flaw manifests when threads are created while directory handles remain open, creating a scenario where the process-wide current working directory undergoes temporary modification during thread cloning. The technical nature of this vulnerability stems from Perl's internal handling of directory descriptors and thread synchronization mechanisms, where the working directory change occurs in a manner that affects all running threads rather than being properly isolated to the specific thread creation context. The race condition emerges because the system temporarily alters the global working directory state to facilitate handle cloning, but this modification persists beyond the immediate thread creation scope, creating a window where subsequent threads may operate under unexpected directory contexts.
The operational impact of this vulnerability extends beyond simple file access confusion to potentially enable sophisticated exploitation scenarios. When a local attacker can predict or manipulate the timing of thread creation and directory handle usage, they may force file operations to target malicious locations instead of intended destinations. This includes potential code loading from unexpected directories, access to sensitive files in unintended locations, and arbitrary file system interactions that could lead to privilege escalation or data compromise. The vulnerability's persistence across multiple threads means that even after the initial thread creation, other concurrently running threads may continue operating under the modified working directory state, creating an extended attack surface. This particular weakness aligns with CWE-362, which describes race conditions in concurrent programming environments where multiple threads or processes access shared resources without proper synchronization mechanisms.
The root cause of this issue traces back to a specific code change introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e, which was incorporated into Perl version 5.13.6, making this vulnerability present in all subsequent releases of the Perl interpreter. This modification attempted to optimize thread handle cloning by temporarily manipulating the working directory state but failed to properly isolate these changes from the broader process context. The implementation follows a pattern that violates fundamental security principles of process isolation and resource management, where global state modifications affect unintended execution contexts. Attackers can exploit this vulnerability by creating specific timing conditions where directory handles are open during thread creation, then triggering file operations that will execute under the modified working directory context. The ATT&CK framework categorizes this type of vulnerability under T1059.007 for Unix shell commands and T1078 for valid accounts, as local attackers can leverage the modified working directory state to execute malicious code or access unauthorized resources through normal file system operations that are normally constrained by proper working directory management.
Mitigation strategies for this vulnerability require both immediate and long-term approaches to address the underlying threading implementation flaw. System administrators should consider upgrading to the latest stable Perl version that contains the fix for this race condition, as the vulnerability is specifically tied to the threading implementation that was introduced in version 5.13.6. Additionally, applications using Perl threads should implement defensive programming practices such as explicitly setting working directories before thread creation, avoiding the use of directory handles during thread creation, and employing proper synchronization mechanisms to prevent race conditions. Organizations should also consider implementing monitoring solutions that can detect unusual file system access patterns that might indicate exploitation attempts. The fix for this vulnerability typically involves modifying the thread cloning mechanism to properly isolate working directory changes to the specific thread creation context rather than propagating these changes globally. This approach aligns with secure coding practices that emphasize the importance of minimizing global state changes and properly managing resource contexts in multi-threaded environments.