Summary
The CI workflow downloads and executes cpanminus over unencrypted HTTP, which allows a network attacker to modify the payload and gain arbitrary code execution in CI runners.
Location
.github/workflows/ci.yml:51:
curl -L http://cpanmin.us | perl - --sudo App::cpanminus
Risk
Piping curl | perl over plain HTTP is a classic MITM vector. An attacker who can intercept network traffic (DNS poisoning, compromised network path, BGP hijack) could inject arbitrary Perl code that executes with --sudo privileges on the CI runner.
Suggested fix
Switch to HTTPS and ideally pin a checksum:
curl -fsSL https://cpanmin.us | perl - --sudo App::cpanminus
Or better, install from a package manager or cache the binary with a verified hash.
Context
Found during multi-model code review of PR #2048. Filed as a separate issue since it's a pre-existing concern outside that PR's scope.
Summary
The CI workflow downloads and executes
cpanminusover unencrypted HTTP, which allows a network attacker to modify the payload and gain arbitrary code execution in CI runners.Location
.github/workflows/ci.yml:51:curl -L http://cpanmin.us | perl - --sudo App::cpanminusRisk
Piping
curl | perlover plain HTTP is a classic MITM vector. An attacker who can intercept network traffic (DNS poisoning, compromised network path, BGP hijack) could inject arbitrary Perl code that executes with--sudoprivileges on the CI runner.Suggested fix
Switch to HTTPS and ideally pin a checksum:
curl -fsSL https://cpanmin.us | perl - --sudo App::cpanminusOr better, install from a package manager or cache the binary with a verified hash.
Context
Found during multi-model code review of PR #2048. Filed as a separate issue since it's a pre-existing concern outside that PR's scope.