Description
String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service.

The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex engine retries the match at each offset of a long whitespace run, producing quadratic backtracking. The fix replaces \s*$ with \s+$.

Any caller that passes untrusted input to trim or rtrim can trigger CPU exhaustion with a string containing a long run of whitespace.
Published: 2026-07-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

String::Util versions before 1.36 strip trailing whitespace using a regex that matches greedily and triggers quadratic backtracking on long runs of whitespace. This causes a denial‑of‑service condition by exhausting CPU resources when an attacker supplies a malicious string with an extended sequence of whitespace characters. The flaw is classified as CWE-1333 and can compromise the availability of any Perl application that imports the trim or rtrim functions from this module with untrusted input.

Affected Systems

Bakersc String::Util is the vendor and product impacted. All installations of this Perl module with a version earlier than 1.36 are affected. Applications that use trim or rtrim on input from users, web forms, or external APIs are potentially vulnerable. No other vendors or products are listed in the CNA data.

Risk and Exploitability

The CVSS score is not specified, but the severity is significant because the attack can trigger full‑blown denial‑of‑service by killing CPU resources. The EPSS score is unavailable, and the vulnerability is not listed in CISA KEV, but the lack of a published exploit does not diminish risk. The likely attack vector is any system that accepts untrusted strings and passes them directly to trim or rtrim – for example, web applications that trim user input before processing. An attacker could send a request containing thousands of whitespace characters to exhaust the server, leading to degraded performance or crashes. Because the vulnerability resides in a widely used module, the scope is broad, affecting many Perl applications.

Generated by OpenCVE AI on July 8, 2026 at 04:06 UTC.

Remediation

Vendor Solution

Upgrade to version 1.36 or later.


Vendor Workaround

For deployments that cannot upgrade, enforce a maximum length on strings before passing them to the trim and rtrim functions. Note that the HTML form field maxlength attribute is only enforced client-side.


OpenCVE Recommended Actions

  • Upgrade to String::Util 1.36 or newer.
  • For deployments that cannot upgrade, enforce a maximum length on input strings before they are passed to trim or rtrim.
  • Audit all code paths that call trim or rtrim on untrusted data and replace them with the patched logic or omit them for long inputs.
  • Continuously monitor CPU usage and request latency to detect any remaining denial‑of‑service symptoms.

Generated by OpenCVE AI on July 8, 2026 at 04:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
Description String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service. The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex engine retries the match at each offset of a long whitespace run, producing quadratic backtracking. The fix replaces \s*$ with \s+$. Any caller that passes untrusted input to trim or rtrim can trigger CPU exhaustion with a string containing a long run of whitespace.
Title String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service
Weaknesses CWE-1333
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-08T00:28:33.750Z

Reserved: 2026-07-06T18:31:10.251Z

Link: CVE-2026-14895

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T04:15:04Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity