Description
JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash.

The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer.

The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.
Published: 2026-06-29
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a NULL pointer dereference in the JavaScript::Minifier::XS Perl XS implementation. It occurs when the first meaningful token in the input is a slash, causing the tokenizer to look back for a preceding token, walk past the head of the node list, and dereference a NULL contents pointer. The crash is triggered through the publicly exposed minify() API, so an attacker can supply a single slash and immediately cause the caller process to terminate. This results in denial of service for any service that uses the module to minify untrusted or third‑party JavaScript.

Affected Systems

Affected is the GTERMARS JavaScript::Minifier::XS module. Versions earlier than 0.16 are vulnerable. The upgrade path is to install JavaScript::Minifier::XS 0.16 or later.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not included in the CISA KEV catalog. The CVSS score of 7.5 indicates high severity, but the critical outcome is an application crash. If the minifying service runs as a privileged process or exposes the API over the network, the attack vector is remote, allowing an attacker to trigger the crash with a minimal payload. The risk is high in environments where the module is used on untrusted input and there is no process isolation.

Generated by OpenCVE AI on June 29, 2026 at 22:26 UTC.

Remediation

Vendor Solution

Upgrade to JavaScript::Minifier::XS version 0.16 or later.

OpenCVE Recommended Actions

  • Upgrade JavaScript::Minifier::XS to version 0.16 or newer
  • Run the minification service in a sandboxed or isolated environment with the least privilege necessary
  • Validate or reject input that begins with a slash or otherwise filter untrusted JavaScript before it reaches the minify() function

Generated by OpenCVE AI on June 29, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.
Title JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash
Weaknesses CWE-125
CWE-476
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-29T22:24:35.943Z

Reserved: 2026-06-18T11:27:09.117Z

Link: CVE-2026-56017

cve-icon Vulnrichment

Updated: 2026-06-29T20:54:55.327Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T22:30:05Z

Weaknesses