Denial of Service Vulnerability in JavaScript Minifier for Perl by GTERMARS
CVE-2026-56017

7.5HIGH

Key Information:

Vendor: Gtermars
Status: Javascript::minifier::xs
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-56017?

A vulnerability exists in JavaScript::Minifier::XS prior to version 0.16 for Perl, where a NULL pointer dereference occurs when the first meaningful token of the input is a slash. This is due to the regexp versus division disambiguator in JsTokenizeString failing to locate a valid preceding token if the input is only whitespace or comments before the slash token. As a result, a crash can be triggered via the public minify() API, allowing an attacker to cause a denial of service by sending malicious inputs, even as simple as a single slash. This vulnerability can be exploited by untrusted or third-party JavaScript minification services.

Affected Version(s)

JavaScript::Minifier::XS 0 < 0.16

References

https://metacpan.org/release/GTERMARS/JavaScript-Minifier...

release-notes

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 18, 2026

CVE-2026-56017 Data

JSON

Gtermars

What is CVE-2026-56017?

Affected Version(s)

References

CVSS V3.1

Timeline