Memory Exhaustion Vulnerability in Mojo::JSON Affects Perl Applications
CVE-2026-14803
Currently unrated
What is CVE-2026-14803?
Mojo::JSON versions before 9.47 for Perl contain a vulnerability allowing memory exhaustion through unbounded recursion in the pure-Perl JSON decoder. This issue arises when the pure-Perl decode functions _decode_value, _decode_array, and _decode_object encounter a deeply nested JSON document, leading to excessive memory consumption. This vulnerability poses a risk of denial of service when an untrusted JSON body is decoded using Mojo::Message::json, particularly when the alternative fast path, Cpanel::JSON::XS, is not available. Effective mitigation requires upgrading to Mojo::JSON version 9.47 or later.
Affected Version(s)
Mojo::JSON 0 < 9.47
