CVE-2026-9516
Denial of Service in Cpanel::JSON::XS Perl Module
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rurban | cpanel_json_xs | to 4.41 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-755 | The product does not handle or incorrectly handles an exceptional condition. |
| CWE-763 | The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in the decode_json() function of Cpanel::JSON::XS versions before 4.41 for Perl. When the input JSON string starts with a UTF-8 Byte Order Mark (BOM), the function attempts to skip this BOM by directly modifying the input string's internal pointer and length.
Normally, after processing, the function restores the original pointer and length. However, if a decode filter callback throws an exception during decoding, the restoration step is skipped. This leaves the input string's internal pointer offset incorrectly and its length shortened.
When the corrupted string is later freed, the memory allocator receives an invalid pointer, causing the Perl interpreter to abort unexpectedly. This can be triggered by a small payload containing a UTF-8 BOM followed by an empty JSON object and a throwing filter callback.
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition in applications using vulnerable versions of Cpanel::JSON::XS. Specifically, if an attacker provides JSON input prefixed with a UTF-8 BOM and triggers a decode filter callback that throws an exception, the application will crash due to an invalid memory pointer.
Such crashes can disrupt service availability, potentially leading to downtime or requiring restarts of the affected Perl interpreter or application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the decode_json() function of Cpanel::JSON::XS with input containing a leading UTF-8 BOM followed by JSON data, especially when using filter callbacks that may throw exceptions.
A practical detection method is to send a minimal payload consisting of a UTF-8 BOM (3 bytes) followed by an empty JSON object "{}" to any service or script using the vulnerable decode_json() function with a throwing filter callback.
If the system or application crashes or aborts with a SIGABRT (exit code 134), it indicates the presence of this vulnerability.
No specific commands are provided in the available resources, but a test script in Perl could be constructed to decode a BOM-prefixed JSON string with a filter callback that throws an exception to observe if the interpreter aborts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating Cpanel::JSON::XS to version 4.41 or later, where the vulnerability has been fixed by removing the in-place mutation of the input scalar and properly handling the UTF-8 BOM without corrupting the string pointer.
Until an update can be applied, avoid using decode_json() with input containing a UTF-8 BOM when filter callbacks that may throw exceptions are involved.
Additionally, review and modify any filter callbacks to handle exceptions gracefully without causing the decode_json() function to abort unexpectedly.