Security Advisories (1)

CVE-2026-8612 (2026-05-15)

WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution. With no explicit cache backend, WWW::Mechanize::Cached constructs a default Cache::FileCache under /tmp/FileCache without overriding the backend's documented directory_umask of 000, so the cache root and its subdirectories are created mode 0777 with no sticky bit. Cache entries are named by sha1_hex of the request and read back through Storable::thaw on the next cache hit. A local attacker with write access to the cache tree can replace a victim's cache entry for a known URL with an arbitrary frozen HTTP::Response blob, causing the victim's next get() of that URL to return attacker controlled response bytes. Because the bytes are passed to Storable::thaw, a victim process that has loaded any class with a side-effectful STORABLE_thaw, DESTROY, or overload hook can be escalated to arbitrary code execution.

NAME

WWW::Mechanize::Cached - Cache resposne to be polite

SYNOPSIS

use WWW::Mechanize::Cached;

my $cacher = WWW::Mechanize::Cached->new(
    cache => {
        class => "Cache::FileCache",
        args => {
           ...
        },
    },
);

$cacher->get( $url );

DESCRIPTION

Uses the Cache::Cache hierarchy to implement a caching Mech. This lets one perform repeated requests without hammering a server impolitely.

CONSTRUCTOR

new

Behaves like, and calls, WWW::Mechanize's new method.

Supports the additional key cache which should be a hashref containing any of two optional keys.

class: Should be the Cache::Cache based module to use. The default is Cache::FileCache.
args: Should be the arguments to pass to that module's own new constructor. Default contents are namespace (set to WWW::Mechanize::Cached) and default_expires_in (set to 1d).

METHODS

All methods are provided by WWW::Mechanize. See taht module's documentation for details.

THANKS

Andy Lester (PETDANCE) for WWW::Mechanize.

ODDITIES

It may sometimes seem as if it's not caching something. And this may well be true. It uses the HTTP request, in string form, as the key to the cache entries, so any minor changes will result in a different key. This is most noticable when following links as WWW::Mechanize adds a Referer header.

BUGS, REQUESTS, COMMENTS

Support for this module is provided via the CPAN RT system:

http://rt.cpan.org/NoAuth/ReportBug.html?Queue=WWW-Mechanize-Cached
( shorter URL: http://xrl.us/63i )

bug-www-mechanize-cached@rt.cpan.org

This makes it much easier for me to track things and thus means your problem is less likely to be neglected.

LICENCE AND COPYRIGHT

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.000 or, at your option, any later version of Perl 5 you may have available.

The full text of the licences can be found in the Artistic and COPYING files included with this module, or in perlartistic and perlgpl as supplied with Perl 5.8.1 and later.

AUTHOR

Iain Truskett <spoon@cpan.org>

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)