CVE-2025-40928
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-11-04
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| debian | libjson-xs-perl | 4.030-1+deb11u1 |
| perl | json_xs | 4.04 |
| perl | json_xs | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an integer buffer overflow in JSON::XS versions before 4.04 for Perl. It occurs during the parsing of crafted JSON input, specifically involving recursive parsing of numeric strings. The flaw can cause a stack overflow due to excessive recursion depth, leading to a segmentation fault (crash) and enabling denial-of-service attacks or other unspecified impacts. [1]
How can this vulnerability impact me? :
The vulnerability can cause denial-of-service by crashing applications that use the affected JSON::XS library when parsing maliciously crafted JSON data. This can disrupt service availability and potentially lead to other unspecified impacts depending on how the application handles such crashes. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a stack overflow caused by parsing crafted JSON input with JSON::XS before version 4.04. Detection can be performed by testing the JSON::XS parser with specially crafted JSON payloads that include deeply nested or malformed numeric strings to trigger the overflow. There are no specific commands provided in the resources, but you can attempt to parse suspicious JSON inputs using a Perl script that uses the vulnerable JSON::XS version and monitor for crashes or segfaults. Network detection could involve monitoring for unusual JSON payloads or denial-of-service symptoms related to JSON parsing. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading JSON::XS to version 4.04 or later, which contains the patch addressing the integer buffer overflow and stack overflow vulnerabilities. If upgrading is not immediately possible, avoid processing untrusted or malformed JSON inputs that could trigger the vulnerability. Applying the patch described in Resource 1 to the XS.xs source file is also a direct mitigation. [1]