Description
CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away.

The minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A memory leak exists in all releases of CSS::Minifier::XS before 0.14 for Perl. The minify routine repeatedly allocates memory when processing content that ultimately removes all characters, such as a file consisting only of comments and whitespace. Because the leaked memory is never freed, repeated calls can drain system memory and cause the host process or entire system to become unresponsive. The weakness is classified as CWE-401.

Affected Systems

The affected product is CSS::Minifier::XS, a Perl library developed by GTERMARS. Versions prior to the 0.14 release are vulnerable. Any Perl application, web service, or automated build system that imports this library to minify CSS and accepts unfiltered user input could be at risk.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 6.5 indicates a moderate severity. The attack requires the execution of code that uses the vulnerable library, which is typically supplied by unfiltered CSS input from an external source. Based on the description, the likely attack vector is remote exploitation via user‑submitted CSS, though local code execution would also be effective. The risk level is moderate to high because a maliciously crafted CSS document can exhaust memory and trigger a denial of service.

Generated by OpenCVE AI on June 29, 2026 at 22:26 UTC.

Remediation

Vendor Solution

Upgrade to CSS::Minifier::XS version 0.14 or later.

OpenCVE Recommended Actions

  • Upgrade CSS::Minifier::XS to version 0.14 or later
  • Configure the application to validate and reject CSS files that would strip entirely to an empty document, such as those consisting solely of comments or whitespace
  • Run the minimization routine in a separate, memory‑limited process or container to contain any potential memory exhaustion

Generated by OpenCVE AI on June 29, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away. The minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace.
Title CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away
Weaknesses CWE-401
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-29T22:24:13.483Z

Reserved: 2026-06-29T06:55:43.347Z

Link: CVE-2026-13593

cve-icon Vulnrichment

Updated: 2026-06-29T20:56:55.769Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T22:30:05Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime