Mite for Perl Arbitrary Code Execution Vulnerability via Current Working Directory in @INC

A vulnerability in Mite for Perl, affecting versions prior to 0.013000, allows for arbitrary code execution by adding the current working directory to the @INC path. This could lead to the execution of malicious files placed in the working directory, instead of the intended ones. The issue arises because Perl's module loading mechanism can be manipulated to load code from locations controlled by an attacker.

Impact

Exploitation of this vulnerability could result in arbitrary code execution within the context of the Perl application using the affected Mite version.

Reproduction

To reproduce this vulnerability, create a Perl script that uses Mite to generate code. Place a malicious file in the current working directory and ensure that the script is executed in an environment where 'dot' is included in the @INC path. The malicious file will be loaded instead of the intended one, due to the current working directory being added to the @INC path.

Remediation

Users can update to Mite version 0.013000 or later, which removes the current working directory from the @INC path. Instructions for updating can be found on the Mite MetaCPAN page.