Memory Leak in JavaScript Minifier for Perl Affects Asset Pipeline Operations
CVE-2026-56018

7.5HIGH

Key Information:

Vendor: Gtermars
Status: Javascript::minifier::xs
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-56018?

JavaScript::Minifier::XS, prior to version 0.16, contains a vulnerability whereby the minify() function leaks memory on each invocation. This issue arises because the cleanup process fails to free the allocated contents buffers for each token, resulting in unbounded memory growth with repeated calls. If utilized in long-lived processes such as asset pipelines or server-side minification, this can lead to a denial of service as memory consumption escalates unchecked until resources are exhausted.

Affected Version(s)

JavaScript::Minifier::XS 0 < 0.16

References

https://github.com/bleargh45/JavaScript-Minifier-XS/issue...

issue-tracking

https://metacpan.org/release/GTERMARS/JavaScript-Minifier...

release-notes

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 18, 2026

CVE-2026-56018 Data

JSON

Gtermars

What is CVE-2026-56018?

Affected Version(s)

References

CVSS V3.1

Timeline