Security Advisories (6)

CVE-2022-48522 (2023-08-22)

In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.

CVE-2023-47038 (2023-10-30)

A crafted regular expression when compiled by perl 5.30.0 through 5.38.0 can cause a one attacker controlled byte buffer overflow in a heap allocated buffer

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

NAME

Module::Load - runtime require of both modules and files

SYNOPSIS

use Module::Load;

my $module = 'Data::Dumper';

load Data::Dumper;     # loads that module, but not import any functions
                       # -> cannot use 'Dumper' function

load 'Data::Dumper';   # ditto
load $module           # tritto

autoload Data::Dumper; # loads that module and imports the default functions
                       # -> can use 'Dumper' function

my $script = 'some/script.pl'
load $script;
load 'some/script.pl';  # use quotes because of punctuations

load thing;             # try 'thing' first, then 'thing.pm'

load CGI, ':all';       # like 'use CGI qw[:standard]'

DESCRIPTION

Module::Load eliminates the need to know whether you are trying to require either a file or a module.

If you consult perldoc -f require you will see that require will behave differently when given a bareword or a string.

In the case of a string, require assumes you are wanting to load a file. But in the case of a bareword, it assumes you mean a module.

This gives nasty overhead when you are trying to dynamically require modules at runtime, since you will need to change the module notation (Acme::Comment) to a file notation fitting the particular platform you are on.

Module::Load eliminates the need for this overhead and will just DWYM.

Difference between `load` and `autoload`

Module::Load imports the two functions - load and autoload

autoload imports the default functions automatically, but load do not import any functions.

autoload is usable under BEGIN{};.

Both the functions can import the functions that are specified.

Following codes are same.

load File::Spec::Functions, qw/splitpath/;

autoload File::Spec::Functions, qw/splitpath/;

FUNCTIONS

load

Loads a specified module.

See "Rules" for detailed loading rule.

autoload

Loads a specified module and imports the default functions.

Except importing the functions, 'autoload' is same as 'load'.

load_remote

Loads a specified module to the specified package.

use Module::Load 'load_remote';

my $pkg = 'Other::Package';

load_remote $pkg, 'Data::Dumper'; # load a module to 'Other::Package'
                                  # but do not import 'Dumper' function

A module for loading must be quoted.

Except specifing the package and quoting module name, 'load_remote' is same as 'load'.

autoload_remote

Loads a specified module and imports the default functions to the specified package.

use Module::Load 'autoload_remote';

my $pkg = 'Other::Package';

autoload_remote $pkg, 'Data::Dumper'; # load a module to 'Other::Package'
                                      # and imports 'Dumper' function

A module for loading must be quoted.

Except specifing the package and quoting module name, 'autoload_remote' is same as 'load_remote'.

Rules

All functions have the following rules to decide what it thinks you want:

If the argument has any characters in it other than those matching \w, : or ', it must be a file
If the argument matches only [\w:'], it must be a module
If the argument matches only \w, it could either be a module or a file. We will try to find file.pm first in @INC and if that fails, we will try to find file in @INC. If both fail, we die with the respective error messages.

IMPORTS THE FUNCTIONS

'load' and 'autoload' are imported by default, but 'load_remote' and 'autoload_remote' are not imported.

To use 'load_remote' or 'autoload_remote', specify at 'use'.

"load","autoload","load_remote","autoload_remote"

Imports the selected functions.

# imports 'load' and 'autoload' (default)
use Module::Load;

# imports 'autoload' only
use Module::Load 'autoload';

# imports 'autoload' and 'autoload_remote', but don't import 'load';
use Module::Load qw/autoload autoload_remote/;

'all'

Imports all the functions.

use Module::Load 'all'; # imports load, autoload, load_remote, autoload_remote

'','none',undef

Not import any functions (load and autoload are not imported).

use Module::Load '';

use Module::Load 'none';

use Module::Load undef;

Caveats

Because of a bug in perl (#19213), at least in version 5.6.1, we have to hardcode the path separator for a require on Win32 to be /, like on Unix rather than the Win32 \. Otherwise perl will not read its own %INC accurately double load files if they are required again, or in the worst case, core dump.

Module::Load cannot do implicit imports, only explicit imports. (in other words, you always have to specify explicitly what you wish to import from a module, even if the functions are in that modules' @EXPORT)

ACKNOWLEDGEMENTS

Thanks to Jonas B. Nielsen for making explicit imports work.

BUG REPORTS

Please report bugs or other issues to <bug-module-load@rt.cpan.org>.

AUTHOR

This module by Jos Boumans <kane@cpan.org>.

COPYRIGHT

This library is free software; you may redistribute and/or modify it under the same terms as Perl itself.

To install utf8, copy and paste the appropriate command in to your terminal.

cpanm

cpanm utf8

CPAN shell

perl -MCPAN -e shell
install utf8

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)