CVE-2025-40930
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-08

Last updated on: 2025-11-04

Assigner: CPANSec

Description
JSON::SIMD before version 1.07 and earlier for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-08
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-09-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-40930
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
perl json_simd *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an integer buffer overflow in the legacy floating point number parser of the JSON::SIMD Perl module (before version 1.07). When parsing specially crafted JSON input, the legacy parser can read beyond the allocated memory buffer, causing a segmentation fault. This flaw occurs only when the legacy decoder is explicitly enabled or when the simdjson decoder falls back to the legacy parser under certain compile-time options. The issue allows denial-of-service attacks by crashing the parser. [1]

Impact Analysis

The vulnerability can cause the JSON::SIMD parser to crash (segmentation fault) when processing maliciously crafted JSON input. This leads to denial-of-service (DoS) attacks, potentially disrupting applications or services that rely on JSON::SIMD for JSON parsing. Other unspecified impacts are possible but not detailed. [1]

Detection Guidance

This vulnerability can be detected by testing the JSON::SIMD Perl module's legacy floating point parser with specially crafted JSON input designed to trigger the buffer overread and segmentation fault. One approach is to run a test similar to the one added in the patch's test file, which decodes a JSON array containing a floating point number with very long sequences of digits (e.g., 1000 repeated '1's before and after the decimal point). There are no specific network detection commands provided, but locally you can attempt to parse such crafted JSON inputs using JSON::SIMD with the legacy decoder enabled (JSON::SIMD->new->use_simdjson(0)) and observe if a crash or segfault occurs. [1]

Mitigation Strategies

Immediate mitigation steps include updating JSON::SIMD to a version later than 1.07 where the patch fixing this vulnerability is applied. If updating is not immediately possible, avoid enabling the legacy floating point parser by not disabling the simdjson decoder (i.e., do not use JSON::SIMD->new->use_simdjson(0)). Also, avoid compiling the module with USE_LONG_DOUBLE or USE_QUADMATH options that cause fallback to the legacy parser. These steps prevent triggering the vulnerable code path and mitigate potential denial-of-service attacks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40930. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart