The vulnerability stems from a memory‑leak in JavaScript::Minifier::XS before version 0.16. Internally, token contents buffers are never freed after minification, causing each call to retain the buffer data. Additionally, early returns when the node list is empty leak the entire NodeSet. Over time a long‑lived process that repeatedly calls the minify function will grow its memory footprint without bound until it exhausts the system’s available memory and is terminated. The impact is a denial of service that disrupts services consuming the library.

The affected product is GTERMARS:JavaScript::Minifier::XS. All installations of the module earlier than release 0.16 are vulnerable. Systems that host asset pipelines, web servers, or any server‑side code that repeatedly minifies JavaScript will be impacted, particularly long‑lived Perl processes.

The exploitability requires repeated usage of the minify API. An attacker who can invoke the vulnerable function multiple times—such as through a malicious upload or automated request to a minifier endpoint—can cause the targeted process to consume memory until it fails. The EPSS score is unavailable and the CVE is not listed in the CISA KEV catalog, but the CVSS score of 7.5 indicates a high severity because it leads to service disruption. The risk is primarily local or within the application, but any attacker who can influence the usage patterns of the minifier may trigger a denial of service. The lack of remote‑execution capabilities does not reduce its impact on availability for affected services.