CVE-2026-49145
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
App::Ack versions through 3.10.0 for Perl read arbitrary files via –files-from in a project .ackrc.
ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include –files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added –follow to the blocklist; –files-from remains accepted.
A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PETDANCE | App::Ack | 0 <= 3.10.0 | affected |
Weaknesses
- CWE-73: CWE-73 External Control of File Name or Path
- CWE-426: CWE-426 Untrusted Search Path
Workarounds
Run ack with –noenv, or avoid running ack in a directory tree that contains an untrusted .ackrc.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.