CVE-2026-49145

Summary

App::Ack versions through 3.10.0 for Perl read arbitrary files via –files-from in a project .ackrc.

ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include –files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added –follow to the blocklist; –files-from remains accepted.

A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.

Affected Software

VendorProductVersion RangeStatus
PETDANCEApp::Ack0 <= 3.10.0affected

Weaknesses

  • CWE-73: CWE-73 External Control of File Name or Path
  • CWE-426: CWE-426 Untrusted Search Path

Workarounds

Run ack with –noenv, or avoid running ack in a directory tree that contains an untrusted .ackrc.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References