Memory Exhaustion Vulnerability in Mojo::JSON Affects Perl Applications
CVE-2026-14803

Currently unrated

Key Information:

Vendor

Sri

Vendor
CVE Published:
6 July 2026

What is CVE-2026-14803?

Mojo::JSON versions before 9.47 for Perl contain a vulnerability allowing memory exhaustion through unbounded recursion in the pure-Perl JSON decoder. This issue arises when the pure-Perl decode functions _decode_value, _decode_array, and _decode_object encounter a deeply nested JSON document, leading to excessive memory consumption. This vulnerability poses a risk of denial of service when an untrusted JSON body is decoded using Mojo::Message::json, particularly when the alternative fast path, Cpanel::JSON::XS, is not available. Effective mitigation requires upgrading to Mojo::JSON version 9.47 or later.

Affected Version(s)

Mojo::JSON 0 < 9.47

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.