CVE-2026-14741
Received Received - Intake

ReDoS in HTTP::Date Perl Module

Vulnerability report for CVE-2026-14741, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: CPANSec

Description

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parse_date. parse_date() matches the date string against a chain of alternative regexes, and str2time() delegates to it. Several of these patterns place unbounded quantifiers next to each other before a trailing `\s*$` anchor. A valid date prefix followed by a long interior run of digits, letters, or whitespace and a single trailing byte that defeats the final match forces the engine to repartition the run, giving polynomial (about quadratic) backtracking. A header value of a few tens of kilobytes runs for tens of seconds of CPU. HTTP::Date parses timestamps such as HTTP `Date`, `Expires`, and `Last-Modified` headers, which commonly originate from untrusted sources. Any caller that passes an untrusted date header to str2time() or parse_date() can be driven to consume unbounded CPU, a denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libwww-perl http_date to 6.08 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a ReDoS (Regular Expression Denial of Service) vulnerability in the HTTP::Date Perl module. It occurs in the parse_date function where regex patterns with ambiguous adjacent greedy quantifiers (digits, letters, or whitespace) before a trailing anchor can be exploited. A long input string (e.g., ~100 KB) with a valid date prefix followed by excessive characters forces O(N^2) backtracking, consuming excessive CPU time and causing a denial of service.

Detection Guidance

To detect this vulnerability, monitor CPU usage spikes when processing HTTP headers containing Date, Expires, or Last-Modified fields. Check Perl applications using HTTP::Date versions before 6.08. Use commands like 'perl -MHTTP::Date -e "print HTTP::Date::parse_date('...long input...')"' to test inputs for excessive processing time.

Impact Analysis

Any application using HTTP::Date versions before 6.08 for Perl to parse untrusted HTTP headers like Date, Expires, or Last-Modified could be impacted. An attacker could send a specially crafted header value causing the server to consume excessive CPU resources, leading to degraded performance or a complete denial of service.

Compliance Impact

This vulnerability primarily causes denial of service by consuming excessive CPU resources, which could disrupt services handling HTTP date headers. While not directly violating GDPR or HIPAA, such disruptions may impact availability requirements under these regulations, potentially leading to compliance issues if systems fail to process requests in a timely manner.

Mitigation Strategies

Upgrade HTTP::Date to version 6.08 or later. If upgrading is not possible, implement input length validation before passing date headers to parse_date() or str2time(). Set a 64-character limit for date header inputs to prevent ReDoS attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart