Source: libmojolicious-perl
Version: 9.46+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libmojolicious-perl.

CVE-2026-14803[0]:
| Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via
| unbounded recursion in the pure-Perl decoder.  The pure-Perl decode
| path (`_decode_value` dispatching to `_decode_array` and
| `_decode_object`) recurses with no depth limit, so a small deeply
| nested JSON document can consume excessive memory.  This path is the
| default when Cpanel::JSON::XS is not installed or
| `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not
| affected.  Any caller that decodes an untrusted JSON body, for
| example `Mojo::Message::json` reached through `$c->req->json`, can
| exhaust process memory and cause denial of service.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-14803
    https://www.cve.org/CVERecord?id=CVE-2026-14803
[1] https://lists.security.metacpan.org/cve-announce/msg/41564627/
[2] 
https://github.com/mojolicious/mojo/commit/cc38b0554275c4d84f6b8b49bcbbc1bec2068fe1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to