CVE-2024-45321

A flaw was found in App::cpanminus (cpanm) through version 1.7047. The default configuration downloads Perl modules from CPAN using HTTP, which could allow an attacker to view or modify the content without the knowledge of the user. This issue could allow an attacker to execute malicious code if they have the ability to intercept and modify the content before it reaches to user.

Mitigation

A user can force cpanminus to use a HTTPS mirror using the --from command-line argument. This can be configured as a CLI option or as an environment variable.

As a command line argument, replacing DISTNAME in the command with the name of the distribution you want to install:

$ cpanm --from <https://www.cpan.org> DISTNAME

As set with the environment variable:

$ export PERL_CPANM_OPT="\--from [https://www.cpan.org"](<https://www.cpan.org">);