CVE-2026-4851

GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.<br /> <br /> GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.<br /> <br /> read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()<br /> <br /> $arg .= &amp;#39;$VAR1&amp;#39;;<br /> my $val = eval "no strict; $arg"; # line 40-41<br /> <br /> $arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:<br /> <br /> $VAR1 = do { system("..."); };<br /> <br /> This executes on the client silently on every RPC call, as the return values remain correct.<br /> <br /> This functionality is by design but the trust requirement for the remote host is not documented in the distribution.