CVE-2026-56017
Received Received - Intake

NULL Pointer Dereference in JavaScript::Minifier::XS Perl Module

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: CPANSec

Description
JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-56017

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in JavaScript::Minifier::XS versions before 0.16 for Perl, where the software crashes due to a NULL pointer dereference when the first meaningful token of the input is a slash.

The issue arises because the function responsible for distinguishing between a regular expression literal and a division operator inspects the previous token's last byte. If the slash is the first meaningful token, there is no valid preceding token, causing the code to read from a NULL pointer and leading to a crash.

This crash can be triggered through the public minify() API with input as small as a single slash byte.

Impact Analysis

This vulnerability can cause a denial of service by crashing the process that runs the JavaScript minifier.

If you use the minify() API on untrusted or third-party JavaScript, a remote attacker can send specially crafted input (such as a single slash) to crash the service.

This can disrupt services relying on JavaScript minification, potentially causing downtime or service interruptions.

Compliance Impact

This vulnerability causes a denial of service by crashing the minification process when processing certain JavaScript inputs. It does not directly impact confidentiality, integrity, or availability of data beyond causing service disruption.

Since the vulnerability does not involve unauthorized access to or disclosure of personal or sensitive data, it does not directly affect compliance with data protection standards such as GDPR or HIPAA.

However, organizations relying on the affected minification service for processing untrusted JavaScript may experience availability issues, which could indirectly impact service reliability requirements under some regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56017. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart