CVE-2026-56018
Received Received - Intake

Memory Leak in JavaScript::Minifier::XS Perl Module

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: CPANSec

Description
JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet. A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-56018

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bleargh45 javascript_minifier_xs to 0.16 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-56018 is a memory leak vulnerability in JavaScript::Minifier::XS versions before 0.16 for Perl. The minify() function leaks memory on every call because it frees only certain structures but not the per-token content buffers, causing unbounded memory growth.

Specifically, the cleanup process frees NodeSet structures but never the buffers allocated for each token's contents. Additionally, nodes are unlinked without freeing their contents, leading to memory being leaked on every call to minify().

This means that in long-running processes that repeatedly call minify(), such as asset pipelines or server-side minifier endpoints, memory usage grows without limit until the system runs out of memory.

Impact Analysis

The vulnerability can cause unbounded memory growth in applications using JavaScript::Minifier::XS before version 0.16 when the minify() function is called repeatedly.

This memory leak can lead to exhaustion of available system memory, causing the process to be killed or crash, resulting in a denial of service.

Therefore, any long-lived process such as an asset pipeline or server-side minifier endpoint that relies on this module may become unstable or unavailable due to this issue.

Detection Guidance

This vulnerability can be detected by monitoring memory usage of processes that repeatedly call the minify() function in the JavaScript-Minifier-XS module. A test script that repeatedly calls the minify function with short intervals can demonstrate the memory leak by showing unbounded memory growth until system RAM is exhausted.

To detect this on your system, you can monitor the memory usage of the relevant process using commands such as:

  • Linux: Use `top` or `htop` to observe memory consumption over time.
  • Linux: Use `ps aux --sort=-rss | head` to find processes with highest memory usage.
  • Linux: Use `pmap <pid>` to check detailed memory map of the process suspected of leaking memory.
  • Use a custom test script that repeatedly calls the minify() function with a small sleep interval to observe memory growth.
Mitigation Strategies

The vulnerability causes unbounded memory growth when the minify() function is called repeatedly in a long-lived process, leading to denial of service.

Immediate mitigation steps include avoiding repeated calls to the minify() function in long-lived processes such as asset pipelines or server-side minifier endpoints until a fix is available.

Consider restarting the process regularly to free leaked memory and prevent exhaustion.

Monitor memory usage closely to detect abnormal growth and take action accordingly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56018. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart