Skip to main content

String::Util CVE-2026-14895

| EUVDEUVD-2026-42127 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-07-07 CPANSec GHSA-vm32-9cff-wgh2
7.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.3 MEDIUM

Network-reachable via a calling app with no auth (AV:N/PR:N), but only quadratic backtracking needing large input yields partial/transient CPU exhaustion, so A:L rather than the vendor's A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 08, 2026 - 15:23 vuln.today
CVSS changed
Jul 08, 2026 - 15:22 NVD
7.5 (HIGH)
CVE Published
Jul 07, 2026 - 22:12 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service.

The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex engine retries the match at each offset of a long whitespace run, producing quadratic backtracking. The fix replaces \s*$ with \s+$.

Any caller that passes untrusted input to trim or rtrim can trigger CPU exhaustion with a string containing a long run of whitespace.

AnalysisAI

Regular-expression denial of service in the String::Util Perl module (versions before 1.36) lets remote unauthenticated attackers exhaust CPU by supplying a string with a long run of whitespace to the trim or rtrim functions. The vulnerable s/\s*$//u pattern backtracks quadratically over whitespace runs, so any application feeding untrusted input through these helpers is exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Perl endpoint using trim/rtrim
Delivery
Craft long whitespace + trailing char payload
Exploit
Submit via HTTP request field
Execution
Trigger quadratic regex backtracking
Persist
Exhaust worker CPU
Impact
Degrade or deny service

Vulnerability AssessmentAI

Exploitation Exploitation requires that a downstream application call String::Util's trim or rtrim on attacker-controlled input AND that the input path allow a sufficiently long whitespace run to reach the function (the quadratic cost only becomes damaging at large input sizes). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals partially conflict. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits an HTTP form field or API parameter consisting of a very long run of whitespace followed by a single non-whitespace character to a Perl web service that passes the value through String::Util::trim or rtrim. The quadratic backtracking pins a worker process at 100% CPU for the duration of the match, and repeating the request across workers degrades or denies service. …
Remediation Vendor-released patch: 1.36 - upgrade String::Util to version 1.36 or later (via cpan/cpanm or your distribution's Perl packaging) to pick up the corrected `\s+$` pattern; the fix commit is at https://github.com/scottchiefbaker/String-Util/commit/f8150867aaeb8f57c59601aefb2193f2caed8745.patch and details are in the oss-security post https://seclists.org/oss-sec/2026/q3/92 and vuldb entry https://vuldb.com/vuln/376726. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications using String::Util Perl module; determine which ones accept user-supplied input to trim or rtrim functions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy