TL;DR - your CPAN client may be vulnerable to modified tarballs from untrusted mirrors (and will have been that way forever). Upgrade, force https, force signature verification and ensure it uses a trusted mirror by default.

See the hackeriet.no post listing the vulnerabilities and this in-depth explanation of what is vulnerable and what to do about it.