Cpanel::JSON::XS versions before 4.41 exhibit a type confusion flaw when the dupkeys_as_arrayref feature is enabled. The decoder collapses duplicate object keys into an array reference, but the check that distinguishes a scalar from an array reference evaluates SvRV(old_value) before confirming old_value is a reference. When the existing value is a plain scalar, the code dereferences it as a reference, causing a crash. Because the dereference is driven by attacker‑controlled data, the flaw can lead to a denial of service and potentially to memory corruption that might enable code execution, but the latter is an inference not explicitly confirmed by the vendor.

Product: Cpanel::JSON::XS by rurban. Versions earlier than 4.41 for Perl are affected. The vulnerability applies when dupkeys_as_arrayref is enabled, a configuration option that is typically activated in applications that need to preserve duplicate keys in parsed JSON.

An attacker that supplies untrusted JSON to a Perl application using the vulnerable library with dupkeys_as_arrayref enabled can trigger the flaw. The attack requires that untrusted data reaches the decoder, which could happen via any JSON input such as API calls or web forms. The flaw leads to a crash and interruption of service. Although the CVE description does not list an EPSS score or KEV status, a high CVSS score would be expected if the memory corruption can result in code execution, but this is a potential consequence rather than a confirmed outcome. The primary risk therefore is denial of service and the possible escalation of a memory corruption vulnerability if mitigated measures are not applied.