App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc.

ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted.

A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

Upgrade to a future ack release.


Workaround

Run ack with --noenv, or avoid running ack in a directory tree that contains an untrusted .ackrc.

History

Wed, 08 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
Description App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted. A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.
Title App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc
Weaknesses CWE-426
CWE-73
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-08T17:31:32.120Z

Reserved: 2026-05-27T17:50:04.538Z

Link: CVE-2026-49145

cve-icon Vulnrichment

Updated: 2026-07-08T17:31:32.120Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses