Description
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder.

The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.

This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected.

Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.
Published: 2026-07-06
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unbounded recursion in the pure‑Perl JSON decoder used by Mojo::JSON before version 9.47, which allows a crafted deeply nested JSON document to consume an excessive amount of memory. When the decoder processes such a payload it recursively calls internal functions without a depth limit, causing the Perl process to allocate memory until it runs out, which can result in a denial of service. This weakness is described by CWE‑674 and results in a loss of availability for the application consuming the JSON.

Affected Systems

The affected package is Mojo::JSON from SRI, part of the Mojolicious framework for Perl. All versions earlier than 9.47 are vulnerable. Systems that use the default pure‑Perl decoder, such as web services that decode JSON bodies via Mojo::Message::json or $c->req->json, are at risk if they do not have a newer version installed or a faster JSON backend available.

Risk and Exploitability

There is no publicly known exploit code, and the EPSS score is not available, but the vulnerability could be leveraged by sending a deeply nested JSON request to a vulnerable service. An attacker with the ability to submit arbitrary JSON would trigger memory exhaustion, possibly bringing the process to a halt. The risk is reflected in its high impact on availability, and is not listed in CISA KEV, indicating no known mass exploitation, yet the lack of depth limits means the issue is highly actionable if a vulnerable server is reachable.

Generated by OpenCVE AI on July 6, 2026 at 08:14 UTC.

Remediation

Vendor Solution

Upgrade to Mojolicious 9.47 or later.


Vendor Workaround

Where upgrading is not possible, install Cpanel::JSON::XS in the include path and leave `MOJO_NO_JSON_XS` unset.


OpenCVE Recommended Actions

  • Upgrade Mojo::JSON to version 9.47 or later within the Mojolicious framework.
  • If upgrading is not feasible, install Cpanel::JSON::XS into the application’s include path and ensure that the MOJO_NO_JSON_XS environment variable is not set so that the fast JSON backend is used.
  • For applications that must continue to use the pure‑Perl decoder, limit the size and nesting depth of incoming JSON payloads, or reject excessively large bodies before decoding to mitigate memory usage.

Generated by OpenCVE AI on July 6, 2026 at 08:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Description Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.
Title Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder
Weaknesses CWE-674
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-06T05:27:01.702Z

Reserved: 2026-07-05T21:23:29.979Z

Link: CVE-2026-14803

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T08:15:11Z

Weaknesses