CVE-2026-14803
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder.
The pure-Perl decode path (_decode_value dispatching to _decode_array and _decode_object) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.
This path is the default when Cpanel::JSON::XS is not installed or MOJO_NO_JSON_XS=1 is set; the Cpanel::JSON::XS fast path is not affected.
Any caller that decodes an untrusted JSON body, for example Mojo::Message::json reached through $c->req->json, can exhaust process memory and cause denial of service.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SRI | Mojo::JSON | 0 < 9.47 | affected |
Weaknesses
- CWE-674: CWE-674 Uncontrolled Recursion
Workarounds
Where upgrading is not possible, install Cpanel::JSON::XS in the include path and leave MOJO_NO_JSON_XS unset.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/mojolicious/mojo/commit/cc38b0554275c4d84f6b8b49bcbbc1bec2068fe1.patch
- https://metacpan.org/release/SRI/Mojolicious-9.47/changes
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.