CVE-2026-14803

Summary

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder.

The pure-Perl decode path (_decode_value dispatching to _decode_array and _decode_object) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.

This path is the default when Cpanel::JSON::XS is not installed or MOJO_NO_JSON_XS=1 is set; the Cpanel::JSON::XS fast path is not affected.

Any caller that decodes an untrusted JSON body, for example Mojo::Message::json reached through $c->req->json, can exhaust process memory and cause denial of service.

Affected Software

VendorProductVersion RangeStatus
SRIMojo::JSON0 < 9.47affected

Weaknesses

  • CWE-674: CWE-674 Uncontrolled Recursion

Workarounds

Where upgrading is not possible, install Cpanel::JSON::XS in the include path and leave MOJO_NO_JSON_XS unset.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References