{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15638", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-04-20T12:20:50.153Z", "datePublished": "2026-04-21T15:34:18.988Z", "dateUpdated": "2026-04-21T16:23:17.147Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Net-Dropbear", "product": "Net::Dropbear", "repo": "https://github.com/atrodo/Net-Dropbear", "vendor": "ATRODO", "versions": [{"lessThan": "0.14", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt.\n\nNet::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1395", "description": "CWE-1395 Dependency on Vulnerable Third-Party Component", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-04-21T15:34:18.988Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2016-6129"}, {"tags": ["vendor-advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2018-12437"}, {"tags": ["release-notes"], "url": "https://metacpan.org/release/ATRODO/Net-Dropbear-0.14/source/dropbear/libtomcrypt/changes"}], "source": {"discovery": "UNKNOWN"}, "title": "Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt", "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T16:22:48.674288Z", "id": "CVE-2025-15638", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:23:17.147Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-15638", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T16:22:48.674288Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:23:11.845Z"}}], "cna": {"title": "Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt", "source": {"discovery": "UNKNOWN"}, "affected": [{"repo": "https://github.com/atrodo/Net-Dropbear", "vendor": "ATRODO", "product": "Net::Dropbear", "versions": [{"status": "affected", "version": "0", "lessThan": "0.14", "versionType": "custom"}], "packageName": "Net-Dropbear", "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cve.org/CVERecord?id=CVE-2016-6129", "tags": ["vendor-advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2018-12437", "tags": ["vendor-advisory"]}, {"url": "https://metacpan.org/release/ATRODO/Net-Dropbear-0.14/source/dropbear/libtomcrypt/changes", "tags": ["release-notes"]}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt.\n\nNet::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1395", "description": "CWE-1395 Dependency on Vulnerable Third-Party Component"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-04-21T15:34:18.988Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15638", "state": "PUBLISHED", "dateUpdated": "2026-04-21T16:23:17.147Z", "dateReserved": "2026-04-20T12:20:50.153Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-04-21T15:34:18.988Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atrodo:net\\:\\:dropbear:*:*:*:*:*:perl:*:*", "matchCriteriaId": "91F6D1F0-6540-4E28-B101-360941675111", "versionEndExcluding": "0.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt.\n\nNet::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437."}], "id": "CVE-2025-15638", "lastModified": "2026-04-22T17:35:37.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T16:16:19.030", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Release Notes"], "url": "https://metacpan.org/release/ATRODO/Net-Dropbear-0.14/source/dropbear/libtomcrypt/changes"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2016-6129"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2018-12437"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Net::Dropbear", "source": "cna", "vendor": "ATRODO"}, "product": "net::dropbear", "vendor": "atrodo"}], "analysis": {"en": {"generated_at": "2026-04-28T16:17:06.210810+00:00", "value": {"mitigation_remediation": ["Upgrade Net::Dropbear to 0.14 or later, which replaces the vulnerable libtomcrypt with a secure version.", "If separate libtomcrypt packages are installed, update them to a non\u2011vulnerable release before or concurrently with the Net::Dropbear upgrade.", "Apply any available patches to the Perl environment and stay informed of vendor advisories; monitor for further remediation."], "summary": {"action": "Immediate Upgrade", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All Net::Dropbear Perl packages released by ATRODO with versions earlier than 0.14 are affected. These modules embed Dropbear 2019.78 or older releases that contain libtomcrypt v1.18.1 or earlier. Consequently, any system running these specific Perl modules that interacts with Dropbear is at risk.", "description_and_impact": "The vulnerability resides in the legacy libtomcrypt library bundled within Net::Dropbear Perl modules before 0.14. When used, a memory corruption flaw (CWE-1395) in that library can occur upon processing certain cryptographic inputs, potentially allowing an attacker to overwrite memory and execute arbitrary code within the context of the module.", "risk_and_exploitability": "The CVSS score of 10 denotes a critical risk level, while the EPSS score of less than 1\u202f% indicates a very low but non\u2011zero likelihood of exploitation. KEV lists the vulnerability as not known to be exploited in the wild. Based on the type of library and that Net::Dropbear typically serves as an SSH\u2011style server, the likely attack vector is an attacker sending crafted cryptographic data over a network connection; the severity remains high if exploitation succeeds. This attack vector is inferred, not explicitly stated in the provided description."}}}}, "created": "2026-04-21T22:45:16.066228+00:00", "updated": "2026-04-28T16:30:35.083724+00:00", "vendors": ["atrodo", "atrodo$PRODUCT$net::dropbear"]}