A newly disclosed vulnerability in Perl’s threading mechanism, tracked as CVE-2025-40909, exposes systems to race conditions involving the working directory, potentially enabling local attackers to manipulate file operations or load unauthorized code.
The issue affects Perl versions from 5.13.6 up to, but not including, 5.41.13, and arises from the way Perl handles directory handles during thread creation.
“If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread,” the oss-sec mailing list notes. “This is visible from any third (or more) thread already running.”
This race condition makes it possible for concurrent threads to observe and interact with temporary changes in the current working directory, which could inadvertently redirect file operations—such as reading sensitive files, loading untrusted code, or modifying configuration files—to unintended paths.
This kind of concurrency flaw “may lead to unintended operations such as loading code or accessing files from unexpected locations,” and is exploitable only by local users, reducing its reach but still posing a significant risk in multi-user or containerized environments.
The Perl development team has released a patch to resolve the issue in version 5.41.13. All users and administrators are strongly advised to:
- Upgrade Perl to version 5.41.13 or higher
- Or, apply the official patch to existing installations
