CVE-2026-14803
Received Received - Intake

Memory Exhaustion in Mojo::JSON Perl Module

Vulnerability report for CVE-2026-14803, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: CPANSec

Description

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mojolicious mojo_json to 9.47 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14803 is a security vulnerability in the pure-Perl implementation of Mojo::JSON for Perl versions before 9.47. The vulnerability arises because the JSON decoder uses unbounded recursion when parsing deeply nested JSON data, which means there is no limit on how deep the recursion can go.

Specifically, the pure-Perl decode path (_decode_value dispatching to _decode_array and _decode_object) recurses without any depth limit. This allows a small but deeply nested JSON document to consume excessive amounts of memory.

This issue occurs when the Cpanel::JSON::XS module is not installed or when the environment variable MOJO_NO_JSON_XS=1 is set, causing the pure-Perl decoder to be used by default. The fast path using Cpanel::JSON::XS is not affected.

An attacker can exploit this by sending a crafted deeply nested JSON body to an application that decodes untrusted JSON, such as through Mojo::Message::json accessed via $c->req->json, leading to memory exhaustion.

Impact Analysis

This vulnerability can impact you by causing your application to consume excessive memory when processing deeply nested JSON inputs. This memory exhaustion can lead to denial of service (DoS) conditions, where the application becomes unresponsive or crashes.

If your application decodes untrusted JSON data using the pure-Perl Mojo::JSON decoder (for example, when Cpanel::JSON::XS is not installed or disabled), an attacker can exploit this to disrupt service availability.

Detection Guidance

This vulnerability can be detected by monitoring for processes that decode JSON data using the pure-Perl Mojo::JSON decoder without the Cpanel::JSON::XS fast path. Specifically, detection involves identifying if the application is processing deeply nested JSON documents that could trigger unbounded recursion and memory exhaustion.

One approach is to check if the environment variable MOJO_NO_JSON_XS is set to 1, which forces the use of the vulnerable pure-Perl decoder.

Additionally, you can monitor application logs or runtime behavior for signs of excessive memory usage or crashes during JSON decoding.

While no specific commands are provided in the resources, you can use system monitoring tools such as 'top', 'htop', or 'ps' to observe memory consumption of processes running Mojo::JSON decoding.

To check if the vulnerable version of Mojo::JSON is installed, you can run a Perl command to print the version, for example:

  • perl -MMojo::JSON -e 'print $Mojo::JSON::VERSION . "\n"'

If the version is before 9.47, the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include upgrading Mojo::JSON to version 9.47 or later, which implements a maximum JSON nesting level of 512 to prevent memory exhaustion.

If upgrading is not immediately possible, ensure that the Cpanel::JSON::XS module is installed and used, as it is not affected by this vulnerability.

Avoid setting the environment variable MOJO_NO_JSON_XS=1, which forces the use of the vulnerable pure-Perl decoder.

Additionally, validate and limit the depth of JSON input from untrusted sources before decoding to prevent deeply nested JSON from being processed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14803. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart