Skip to main content

JavaScript::Minifier::XS CVE-2026-56018

| EUVDEUVD-2026-40182 HIGH
Memory Leak (CWE-401)
2026-06-29 CPANSec GHSA-fvxv-8c37-qrc6
7.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable when used in a minifier endpoint, no auth or interaction, and the per-call leak yields availability-only impact (C/I:N, A:H); AC:L since any repeated normal call triggers it.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 29, 2026 - 22:30 vuln.today
Patch available
Jun 29, 2026 - 22:02 EUVD
CVSS changed
Jun 29, 2026 - 21:22 NVD
7.5 (HIGH)
CVE Published
Jun 29, 2026 - 19:38 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth.

In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet.

A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.

AnalysisAI

Uncontrolled memory consumption in the Perl module JavaScript::Minifier::XS before version 0.16 lets remote attackers exhaust a long-lived process's memory by repeatedly triggering minify() calls. The XS cleanup code frees only the NodeSet structures while leaking every per-token contents buffer (and the entire NodeSet on the empty-list early-return paths), so each invocation leaks heap memory until the process is OOM-killed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed minifier endpoint
Delivery
Submit repeated minify() requests
Exploit
Leak per-token contents buffers each call
Execution
Resident memory grows unbounded
Impact
Process OOM-killed, service denied

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run JavaScript::Minifier::XS below 0.16 inside a long-lived process that calls minify() repeatedly - explicitly a server-side minifier endpoint or a persistent asset-pipeline worker, per the CVE description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent but point to a resource-exhaustion DoS rather than a code-execution emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a service that minifies user- or build-supplied JavaScript on the fly - for example a server-side minifier API or a persistent asset-pipeline worker - and submits a continuous stream of minify requests. Each call leaks the token contents buffers, so the worker's resident memory climbs steadily until the OS OOM-killer terminates it, denying service to legitimate users. …
Remediation Vendor-released patch: upgrade to JavaScript::Minifier::XS 0.16 or later, which adds the missing frees for the per-token contents buffers and the empty-list NodeSet paths (see the 0.16 changelog at https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes and the upstream issue at https://github.com/bleargh45/JavaScript-Minifier-XS/issues/10). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running JavaScript::Minifier::XS versions prior to 0.16 using software asset inventory tools; prioritize systems processing untrusted or user-supplied JavaScript. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56018 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy