Impact
The vulnerability is an unbounded recursion in the pure‑Perl JSON decoder used by Mojo::JSON before version 9.47, which allows a crafted deeply nested JSON document to consume an excessive amount of memory. When the decoder processes such a payload it recursively calls internal functions without a depth limit, causing the Perl process to allocate memory until it runs out, which can result in a denial of service. This weakness is described by CWE‑674 and results in a loss of availability for the application consuming the JSON.
Affected Systems
The affected package is Mojo::JSON from SRI, part of the Mojolicious framework for Perl. All versions earlier than 9.47 are vulnerable. Systems that use the default pure‑Perl decoder, such as web services that decode JSON bodies via Mojo::Message::json or $c->req->json, are at risk if they do not have a newer version installed or a faster JSON backend available.
Risk and Exploitability
There is no publicly known exploit code, and the EPSS score is not available, but the vulnerability could be leveraged by sending a deeply nested JSON request to a vulnerable service. An attacker with the ability to submit arbitrary JSON would trigger memory exhaustion, possibly bringing the process to a halt. The risk is reflected in its high impact on availability, and is not listed in CISA KEV, indicating no known mass exploitation, yet the lack of depth limits means the issue is highly actionable if a vulnerable server is reachable.
OpenCVE Enrichment