Impact
String::Util versions before 1.36 strip trailing whitespace using a regex that matches greedily and triggers quadratic backtracking on long runs of whitespace. This causes a denial‑of‑service condition by exhausting CPU resources when an attacker supplies a malicious string with an extended sequence of whitespace characters. The flaw is classified as CWE-1333 and can compromise the availability of any Perl application that imports the trim or rtrim functions from this module with untrusted input.
Affected Systems
Bakersc String::Util is the vendor and product impacted. All installations of this Perl module with a version earlier than 1.36 are affected. Applications that use trim or rtrim on input from users, web forms, or external APIs are potentially vulnerable. No other vendors or products are listed in the CNA data.
Risk and Exploitability
The CVSS score is not specified, but the severity is significant because the attack can trigger full‑blown denial‑of‑service by killing CPU resources. The EPSS score is unavailable, and the vulnerability is not listed in CISA KEV, but the lack of a published exploit does not diminish risk. The likely attack vector is any system that accepts untrusted strings and passes them directly to trim or rtrim – for example, web applications that trim user input before processing. An attacker could send a request containing thousands of whitespace characters to exhaust the server, leading to degraded performance or crashes. Because the vulnerability resides in a widely used module, the scope is broad, affecting many Perl applications.
OpenCVE Enrichment