Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
The decoder imposes no authentication gate; any reachable JSON endpoint is exposed, so PR:N is more accurate than PR:L.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder.
The pure-Perl decode path (_decode_value dispatching to _decode_array and _decode_object) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.
This path is the default when Cpanel::JSON::XS is not installed or MOJO_NO_JSON_XS=1 is set; the Cpanel::JSON::XS fast path is not affected.
Any caller that decodes an untrusted JSON body, for example Mojo::Message::json reached through $c->req->json, can exhaust process memory and cause denial of service.
AnalysisAI
Memory exhaustion via uncontrolled recursion in Mojo::JSON's pure-Perl decoder allows network-accessible callers to cause denial of service in Mojolicious applications. All versions before 9.47 are affected when the pure-Perl decode path is active - specifically when Cpanel::JSON::XS is absent or MOJO_NO_JSON_XS=1 is set. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three conditions must hold simultaneously: (1) the target application is built on Mojolicious and decodes request bodies via `Mojo::Message::json`, `$c->req->json`, or any other caller of the pure-Perl decoder; (2) the pure-Perl code path is active at runtime, meaning Cpanel::JSON::XS is NOT installed and loadable, OR the environment variable MOJO_NO_JSON_XS=1 has been set - deployments with Cpanel::JSON::XS present are not vulnerable; and (3) the attacker can submit an arbitrary JSON body to an endpoint that decodes it. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) correctly captures a network-exploitable, low-complexity denial-of-service with no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an HTTP POST request to any Mojolicious route that calls `$c->req->json` (or any other codepath reaching `Mojo::Message::json`), with a body consisting of thousands of levels of nested JSON arrays or objects - a payload that may be only a few kilobytes. The pure-Perl decoder recurses without bound through `_decode_value` → `_decode_array` → `_decode_value`, exhausting available memory and crashing or hanging the Mojolicious worker process, denying service to legitimate users. … |
| Remediation | Upgrade Mojolicious to version 9.47 or later, which introduces a recursion depth limit in the pure-Perl JSON decoder. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41798
GHSA-fp7f-j7qv-4qww