ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted.
A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.
Analysis and contextual insights are available on OpenCVE Cloud.
Vendor Solution
Upgrade to a future ack release.
Vendor Workaround
Run ack with --noenv, or avoid running ack in a directory tree that contains an untrusted .ackrc.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 08 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Wed, 08 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted. A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines. | |
| Title | App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc | |
| Weaknesses | CWE-426 CWE-73 |
|
| References |
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-07-08T15:21:13.451Z
Reserved: 2026-05-27T17:50:04.538Z
Link: CVE-2026-49145
Updated: 2026-07-08T15:21:03.722Z
No data.
No data.
OpenCVE Enrichment
No data.