Skip to main content

Mojo::JSON CVE-2026-14803

| EUVDEUVD-2026-41798 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-07-06 CPANSec GHSA-fp7f-j7qv-4qww
6.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

The decoder imposes no authentication gate; any reachable JSON endpoint is exposed, so PR:N is more accurate than PR:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 06, 2026 - 19:24 vuln.today
CVSS changed
Jul 06, 2026 - 19:22 NVD
6.5 (MEDIUM)
CVE Published
Jul 06, 2026 - 01:34 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder.

The pure-Perl decode path (_decode_value dispatching to _decode_array and _decode_object) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.

This path is the default when Cpanel::JSON::XS is not installed or MOJO_NO_JSON_XS=1 is set; the Cpanel::JSON::XS fast path is not affected.

Any caller that decodes an untrusted JSON body, for example Mojo::Message::json reached through $c->req->json, can exhaust process memory and cause denial of service.

AnalysisAI

Memory exhaustion via uncontrolled recursion in Mojo::JSON's pure-Perl decoder allows network-accessible callers to cause denial of service in Mojolicious applications. All versions before 9.47 are affected when the pure-Perl decode path is active - specifically when Cpanel::JSON::XS is absent or MOJO_NO_JSON_XS=1 is set. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Mojolicious endpoint accepting JSON body
Delivery
Confirm pure-Perl decoder active (no XS)
Exploit
Craft deeply nested JSON payload
Install
POST payload to target endpoint
C2
Trigger unbounded recursion in _decode_value
Execute
Exhaust worker process memory
Impact
Deny service to legitimate users

Vulnerability AssessmentAI

Exploitation Three conditions must hold simultaneously: (1) the target application is built on Mojolicious and decodes request bodies via `Mojo::Message::json`, `$c->req->json`, or any other caller of the pure-Perl decoder; (2) the pure-Perl code path is active at runtime, meaning Cpanel::JSON::XS is NOT installed and loadable, OR the environment variable MOJO_NO_JSON_XS=1 has been set - deployments with Cpanel::JSON::XS present are not vulnerable; and (3) the attacker can submit an arbitrary JSON body to an endpoint that decodes it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) correctly captures a network-exploitable, low-complexity denial-of-service with no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends an HTTP POST request to any Mojolicious route that calls `$c->req->json` (or any other codepath reaching `Mojo::Message::json`), with a body consisting of thousands of levels of nested JSON arrays or objects - a payload that may be only a few kilobytes. The pure-Perl decoder recurses without bound through `_decode_value` → `_decode_array` → `_decode_value`, exhausting available memory and crashing or hanging the Mojolicious worker process, denying service to legitimate users. …
Remediation Upgrade Mojolicious to version 9.47 or later, which introduces a recursion depth limit in the pure-Perl JSON decoder. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14803 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy