Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable when used in a minifier endpoint, no auth or interaction, and the per-call leak yields availability-only impact (C/I:N, A:H); AC:L since any repeated normal call triggers it.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth.
In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet.
A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.
AnalysisAI
Uncontrolled memory consumption in the Perl module JavaScript::Minifier::XS before version 0.16 lets remote attackers exhaust a long-lived process's memory by repeatedly triggering minify() calls. The XS cleanup code frees only the NodeSet structures while leaking every per-token contents buffer (and the entire NodeSet on the empty-list early-return paths), so each invocation leaks heap memory until the process is OOM-killed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run JavaScript::Minifier::XS below 0.16 inside a long-lived process that calls minify() repeatedly - explicitly a server-side minifier endpoint or a persistent asset-pipeline worker, per the CVE description. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent but point to a resource-exhaustion DoS rather than a code-execution emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a service that minifies user- or build-supplied JavaScript on the fly - for example a server-side minifier API or a persistent asset-pipeline worker - and submits a continuous stream of minify requests. Each call leaks the token contents buffers, so the worker's resident memory climbs steadily until the OS OOM-killer terminates it, denying service to legitimate users. … |
| Remediation | Vendor-released patch: upgrade to JavaScript::Minifier::XS 0.16 or later, which adds the missing frees for the per-token contents buffers and the empty-list NodeSet paths (see the 0.16 changelog at https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes and the upstream issue at https://github.com/bleargh45/JavaScript-Minifier-XS/issues/10). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running JavaScript::Minifier::XS versions prior to 0.16 using software asset inventory tools; prioritize systems processing untrusted or user-supplied JavaScript. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in JavaScript
View allJavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful t
Clerk helps developers build user management. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploit
Same weakness CWE-401 – Memory Leak
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40182
GHSA-fvxv-8c37-qrc6