File::Find::Object is "an object-oriented and iterative replacement for File::Find. I.e: it is a module for traversing a directory tree, and finding all the files contained within it programatically". A format string vulnerability in File-Find-Object allows local attackers to cause the program to execute arbitrary code by causing the product to go into a loop where it will try and print out the looping directory without providing a format string.
The information has been provided by Shlomi Fish.
As one can see $self->_father($ptr)->dir() is included directly in the printf-format, which may cause a lot of unexpected behavior. There was a Perl-sprintf vulnerability a while ago, in which the Perl interpreter mis-handled some badly formatted sprintf-values, and in general letting the user input stuff directly into the printf-format field is not such a good idea.
->dir() is encountered in the directory tree that File-Find-Object traverses.