Description
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled.

decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference.

A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.
Published: 2026-06-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cpanel::JSON::XS versions before 4.41 exhibit a type confusion flaw when the dupkeys_as_arrayref feature is enabled. The decoder collapses duplicate object keys into an array reference, but the check that distinguishes a scalar from an array reference evaluates SvRV(old_value) before confirming old_value is a reference. When the existing value is a plain scalar, the code dereferences it as a reference, causing a crash. Because the dereference is driven by attacker‑controlled data, the flaw can lead to a denial of service and potentially to memory corruption that might enable code execution, but the latter is an inference not explicitly confirmed by the vendor.

Affected Systems

Product: Cpanel::JSON::XS by rurban. Versions earlier than 4.41 for Perl are affected. The vulnerability applies when dupkeys_as_arrayref is enabled, a configuration option that is typically activated in applications that need to preserve duplicate keys in parsed JSON.

Risk and Exploitability

An attacker that supplies untrusted JSON to a Perl application using the vulnerable library with dupkeys_as_arrayref enabled can trigger the flaw. The attack requires that untrusted data reaches the decoder, which could happen via any JSON input such as API calls or web forms. The flaw leads to a crash and interruption of service. The CVSS score of 7.3 indicates a high severity, while the EPSS score of <1% suggests a low probability of exploitation so far, and the vulnerability is not listed in CISA KEV. The primary risk therefore is denial of service and the potential for memory corruption if mitigated measures are not applied.

Generated by OpenCVE AI on June 3, 2026 at 19:21 UTC.

Remediation

Vendor Solution

Upgrade to Cpanel::JSON::XS 4.41 or later.

OpenCVE Recommended Actions

  • Upgrade Cpanel::JSON::XS to version 4.41 or later to patch the type‑confusion flaw.
  • Disable dupkeys_as_arrayref in any configuration that processes untrusted JSON, or only enable it for trusted data.
  • Validate input sources to ensure JSON data does not come from an untrusted or authenticated user before calling decode_hv with dupkeys_as_arrayref enabled.

Generated by OpenCVE AI on June 3, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Rurban cpanel\
CPEs cpe:2.3:a:rurban:cpanel\:\:json\:\:xs:*:*:*:*:*:perl:*:*
Vendors & Products Rurban cpanel\

Wed, 03 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
References

Wed, 03 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Rurban
Rurban cpanel::json::xs
Vendors & Products Rurban
Rurban cpanel::json::xs

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference. A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.
Title Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled
Weaknesses CWE-843
References

Subscriptions

Rurban Cpanel::json::xs Cpanel\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-03T17:29:49.416Z

Reserved: 2026-05-22T23:33:44.954Z

Link: CVE-2026-9334

cve-icon Vulnrichment

Updated: 2026-06-03T09:35:37.984Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T01:16:23.287

Modified: 2026-06-05T17:36:29.090

Link: CVE-2026-9334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T19:30:36Z

Weaknesses
  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')