CVE-2023-31484 – CVE-2023-31484 is a TLS certificate verificatio... (How to Fix)

Q: What is the severity of CVE-2023-31484?

CVE-2023-31484 has a CVSS score of 8.1 (HIGH). CVE-2023-31484 is a TLS certificate verification bypass vulnerability in CPAN.pm that allows man-in-the-middle attackers to intercept and modify software packages downloaded over HTTPS. This affects Perl developers and systems using CPAN.pm to install modules from CPAN repositories. The vulnerability enables attackers to inject malicious code into downloaded Perl modules.

📋 TL;DR

CVE-2023-31484 is a TLS certificate verification bypass vulnerability in CPAN.pm that allows man-in-the-middle attackers to intercept and modify software packages downloaded over HTTPS. This affects Perl developers and systems using CPAN.pm to install modules from CPAN repositories. The vulnerability enables attackers to inject malicious code into downloaded Perl modules.

💻 Affected Systems

Products:

CPAN.pm

Versions: All versions before 2.35

Operating Systems: All operating systems running Perl with CPAN.pm

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any system using CPAN.pm to download modules over HTTPS. The underlying issue is in HTTP::Tiny's default configuration.

📦 What is this software?

Cpanpm by Cpanpm Project

View all CVEs affecting Cpanpm →

Perl by Perl

View all CVEs affecting Perl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can perform man-in-the-middle attacks to inject malicious code into CPAN modules, leading to remote code execution, data theft, or complete system compromise on affected systems.

🟠

Likely Case

Attackers on the same network can intercept CPAN downloads and inject malicious code, potentially compromising development environments and production systems that install modules from CPAN.

🟢

If Mitigated

With proper network segmentation and certificate pinning, impact is limited to potential denial of service if downloads are blocked, but no code injection.

🌐 Internet-Facing: MEDIUM - Requires man-in-the-middle position, but public networks and compromised infrastructure could facilitate attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this during module installations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires man-in-the-middle position but is straightforward once that position is achieved. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.35 and later

Vendor Advisory: http://www.openwall.com/lists/oss-security/2023/04/29/1

Restart Required: No

Instructions:

1. Update CPAN.pm: 'cpan CPAN' 2. Verify version: 'perl -MCPAN -e 'print $CPAN::VERSION'' 3. Ensure version is 2.35 or higher

🔧 Temporary Workarounds

Force certificate verification via environment variable

all

Set PERL_HTTP_TINY_SSL_VERIFY_HOSTNAME=1 to enable TLS certificate verification

export PERL_HTTP_TINY_SSL_VERIFY_HOSTNAME=1

Use HTTP instead of HTTPS for CPAN

all

Configure CPAN to use HTTP repositories instead of HTTPS (less secure but avoids TLS issue)

perl -MCPAN -e 'shell' then 'o conf urllist unshift http://www.cpan.org/' then 'o conf commit'

🧯 If You Can't Patch

Use network segmentation to isolate CPAN traffic from untrusted networks
Implement certificate pinning or use internal mirror with verified certificates

🔍 How to Verify

Check if Vulnerable:

Run: perl -MCPAN -e 'print "VULNERABLE" if $CPAN::VERSION < 2.35'

Check Version:

perl -MCPAN -e 'print $CPAN::VERSION'

Verify Fix Applied:

Run: perl -MCPAN -e 'print "FIXED" if $CPAN::VERSION >= 2.35'

📡 Detection & Monitoring

Log Indicators:

Failed TLS certificate verification warnings in CPAN logs
Unexpected module downloads from non-standard sources

Network Indicators:

CPAN HTTPS traffic with invalid or self-signed certificates
Man-in-the-middle attacks on CPAN repository connections

SIEM Query:

source="cpan.log" AND ("certificate" AND "verify" AND "failed") OR source="network" AND dest_ip="cpan.org" AND tls_handshake_failure

📊 Metadata

CVE ID: CVE-2023-31484

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-295

Published: April 29, 2023

Last Updated: November 3, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/04/29/1 Mailing List,Patch
http://www.openwall.com/lists/oss-security/2023/05/03/3 Mailing List,Patch
http://www.openwall.com/lists/oss-security/2023/05/03/5 Mailing List
http://www.openwall.com/lists/oss-security/2023/05/07/2 Mailing List
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ Mitigation,Patch,Third Party Advisory
https://github.com/andk/cpanpm/pull/175 Exploit,Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
https://metacpan.org/dist/CPAN/changes Release Notes
https://security.netapp.com/advisory/ntap-20240621-0007/
https://www.openwall.com/lists/oss-security/2023/04/18/14 Mailing List,Patch
http://www.openwall.com/lists/oss-security/2023/04/29/1 Mailing List,Patch
http://www.openwall.com/lists/oss-security/2023/05/03/3 Mailing List,Patch
http://www.openwall.com/lists/oss-security/2023/05/03/5 Mailing List
http://www.openwall.com/lists/oss-security/2023/05/07/2 Mailing List
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ Mitigation,Patch,Third Party Advisory
https://github.com/andk/cpanpm/pull/175 Exploit,Issue Tracking
https://lists.debian.org/debian-lts-announce/2024/10/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
https://metacpan.org/dist/CPAN/changes Release Notes
https://security.netapp.com/advisory/ntap-20240621-0007/
https://www.openwall.com/lists/oss-security/2023/04/18/14 Mailing List,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31484, you might also want to check these: