{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4851", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-03-25T14:56:47.454Z", "datePublished": "2026-03-29T00:22:22.578Z", "dateUpdated": "2026-03-29T00:23:56.336Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "GRID-Machine", "product": "GRID::Machine", "programFiles": ["lib/GRID/Machine/Message.pm"], "programRoutines": [{"name": "GRID::Machine::read_operation()"}], "vendor": "CASIANO", "versions": [{"lessThanOrEqual": "0.127", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Pied Crow crow@cpan.org"}], "descriptions": [{"lang": "en", "value": "GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.\n\nGRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.\n\nread_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()\n\n $arg .= '$VAR1';\n my $val = eval \"no strict; $arg\"; # line 40-41\n\n$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:\n\n $VAR1 = do { system(\"...\"); };\n\nThis executes on the client silently on every RPC call, as the return values remain correct.\n\nThis functionality is by design but the trust requirement for the remote host is not documented in the distribution."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-95", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-29T00:22:22.578Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.openwall.com/lists/oss-security/2026/03/26/6"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2026-03-24T00:00:00.000Z", "value": "Vulnerability reported to module author and CPANSec"}, {"lang": "en", "time": "2026-03-25T00:00:00.000Z", "value": "CVE assigned by CPANSec"}, {"lang": "en", "time": "2026-03-26T00:00:00.000Z", "value": "Author confirmed module is unmaintained, no fix available"}, {"lang": "en", "time": "2026-03-26T00:00:00.000Z", "value": "Disclosed on oss-security mailing list"}], "title": "GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization", "workarounds": [{"lang": "en", "value": "There is no fix available. If used, only connect to trusted remote hosts."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/26/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-29T00:23:56.336Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.\n\nGRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.\n\nread_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()\n\n $arg .= '$VAR1';\n my $val = eval \"no strict; $arg\"; # line 40-41\n\n$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:\n\n $VAR1 = do { system(\"...\"); };\n\nThis executes on the client silently on every RPC call, as the return values remain correct.\n\nThis functionality is by design but the trust requirement for the remote host is not documented in the distribution."}], "id": "CVE-2026-4851", "lastModified": "2026-03-30T13:26:07.647", "metrics": {}, "published": "2026-03-29T01:15:56.967", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://www.openwall.com/lists/oss-security/2026/03/26/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/26/6"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-95"}, {"lang": "en", "value": "CWE-502"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.127]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GRID::Machine", "source": "cna", "vendor": "CASIANO"}, "product": "grid::machine", "vendor": "casiano"}], "analysis": {"en": {"generated_at": "2026-03-29T05:21:49.579016+00:00", "value": {"mitigation_remediation": ["Ensure GRID::Machine only connects to trusted remote hosts.", "Use firewall rules or network segmentation to block unauthorized SSH access to the client machine.", "Monitor RPC logs for unexpected or malformed responses to detect exploitation attempts.", "When a vendor patch or update becomes available, apply it immediately.", "Run the GRID::Machine client with the least privileges necessary to limit damage from a compromise."], "summary": {"action": "Restrict Connections", "impact": "Remote code execution via unsafe deserialization"}, "threat_synthesis": {"affected_systems": "The affected product is GRID::Machine for Perl, in all released versions up to and including 0.127. Users of this version range who rely on the RPC over SSH functionality are susceptible. No specific patch or version upgrade is currently available from the vendor. The distribution does not document its trust requirement for the remote host, leaving users unaware that connecting to an untrusted host exposes them to this risk.", "description_and_impact": "GRID::Machine versions through 0.127 for Perl perform remote procedure calls over SSH and internally deserialize data received from the remote host using Perl's eval function. The implementation accepts raw bytes from the protocol pipe, prepending them with \\'$VAR1\\' and evaluating them. A malicious or compromised remote host can embed arbitrary Perl code in the serialized response, for example \\'$VAR1 = do { system(\"...\"); };\\', which is executed on the client side silently on every RPC call. This constitutes an arbitrary code execution vulnerability that can be exercised by any remote host the client connects to, enabling a remote attacker to run code on the client system without authentication. The weakness is rooted in unsafe deserialization (CWE\u2011502) and code injection (CWE\u201195).", "risk_and_exploitability": "Because the vulnerability is triggered when the client initiates an RPC call to a remote host, any client that connects to an unauthenticated or poorly secured SSH endpoint is at risk. Exploitation requires the attacker to control the remote host or to supply forged responses over the established RPC channel. The absence of a CVSS score or EPSS estimate and the lack of a CISA KEV listing do not diminish the inherent danger of remote code execution; the risk remains high for any environment that does not enforce strict host trust boundaries. If an attacker can provide a malicious serialized payload, they can gain persistent, silent control over the client. The attack vector is therefore inferred to be remote, dependent on outbound connections to untrusted servers."}}}}, "created": "2026-03-29T20:31:53.328836+00:00", "updated": "2026-03-30T06:58:45.602509+00:00", "vendors": ["casiano", "casiano$PRODUCT$grid::machine"]}