CVE-2011-10007
📋 TL;DR
This vulnerability in File::Find::Rule Perl module allows arbitrary command execution when processing malicious filenames. Attackers can execute system commands by creating specially crafted filenames that get interpreted as shell commands. Any Perl application using File::Find::Rule's grep() function on untrusted file systems is affected.
💻 Affected Systems
- File::Find::Rule Perl module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges if the vulnerable process runs with elevated permissions, allowing complete control over the affected system.
Likely Case
Arbitrary command execution with the privileges of the Perl process, potentially leading to data theft, privilege escalation, or lateral movement.
If Mitigated
Limited impact if the Perl process runs with minimal privileges and file system access is restricted to trusted directories.
🎯 Exploit Status
Exploitation requires ability to create files in target directory. The provided example demonstrates successful command execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 0.34
Vendor Advisory: https://rt.cpan.org/Public/Bug/Display.html?id=64504
Restart Required: No
Instructions:
1. Update File::Find::Rule module using CPAN: 'cpan upgrade File::Find::Rule'
2. Verify installation: 'perl -MFile::Find::Rule -e "print $File::Find::Rule::VERSION"'
3. Ensure version is greater than 0.34
🔧 Temporary Workarounds
Input sanitization
allSanitize filenames before passing to File::Find::Rule grep() method
# Before calling grep(), validate filenames:
# my $safe_path = sanitize_path($user_input);
# File::Find::Rule->grep('pattern')->in($safe_path);
Use three-argument open
allModify the module source to use three-argument open() instead of two-argument
# Edit lib/File/Find/Rule.pm line ~423
# Change: open my $fh, $file
# To: open my $fh, '<', $file
🧯 If You Can't Patch
- Restrict file system permissions to prevent untrusted users from creating files in scanned directories
- Run Perl applications with minimal privileges and implement strict input validation for file paths
🔍 How to Verify
Check if Vulnerable:
Check if File::Find::Rule version is 0.34 or earlier and grep() method is used on untrusted pathsCheck Version:
perl -MFile::Find::Rule -e 'print "Version: $File::Find::Rule::VERSION\n"'Verify Fix Applied:
Test with the proof-of-concept example after patching - it should no longer execute commands📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from Perl scripts
- File operations on suspicious filenames containing pipe characters
Network Indicators:
- Outbound connections from Perl processes that normally don't network
SIEM Query:
process.name: "perl" AND cmdline: "File::Find::Rule" AND cmdline: "grep"🔗 References
- https://github.com/richardc/perl-file-find-rule/commit/df58128bcee4c1da78c34d7f3fe1357e575ad56f.patch
- https://github.com/richardc/perl-file-find-rule/pull/4
- https://metacpan.org/release/RCLAMP/File-Find-Rule-0.34/source/lib/File/Find/Rule.pm#L423
- https://rt.cpan.org/Public/Bug/Display.html?id=64504
- http://www.openwall.com/lists/oss-security/2025/06/05/4
- http://www.openwall.com/lists/oss-security/2025/06/06/1
- http://www.openwall.com/lists/oss-security/2025/06/06/3
- https://lists.debian.org/debian-lts-announce/2025/06/msg00006.html
- https://github.com/richardc/perl-file-find-rule/pull/4
