Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable via a calling app with no auth (AV:N/PR:N), but only quadratic backtracking needing large input yields partial/transient CPU exhaustion, so A:L rather than the vendor's A:H.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service.
The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex engine retries the match at each offset of a long whitespace run, producing quadratic backtracking. The fix replaces \s*$ with \s+$.
Any caller that passes untrusted input to trim or rtrim can trigger CPU exhaustion with a string containing a long run of whitespace.
AnalysisAI
Regular-expression denial of service in the String::Util Perl module (versions before 1.36) lets remote unauthenticated attackers exhaust CPU by supplying a string with a long run of whitespace to the trim or rtrim functions. The vulnerable s/\s*$//u pattern backtracks quadratically over whitespace runs, so any application feeding untrusted input through these helpers is exposed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a downstream application call String::Util's trim or rtrim on attacker-controlled input AND that the input path allow a sufficiently long whitespace run to reach the function (the quadratic cost only becomes damaging at large input sizes). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals partially conflict. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits an HTTP form field or API parameter consisting of a very long run of whitespace followed by a single non-whitespace character to a Perl web service that passes the value through String::Util::trim or rtrim. The quadratic backtracking pins a worker process at 100% CPU for the duration of the match, and repeating the request across workers degrades or denies service. … |
| Remediation | Vendor-released patch: 1.36 - upgrade String::Util to version 1.36 or later (via cpan/cpanm or your distribution's Perl packaging) to pick up the corrected `\s+$` pattern; the fix commit is at https://github.com/scottchiefbaker/String-Util/commit/f8150867aaeb8f57c59601aefb2193f2caed8745.patch and details are in the oss-security post https://seclists.org/oss-sec/2026/q3/92 and vuldb entry https://vuldb.com/vuln/376726. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all applications using String::Util Perl module; determine which ones accept user-supplied input to trim or rtrim functions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42127
GHSA-vm32-9cff-wgh2