Skip to main content

JavaScript

3 CVEs product

Monthly

CVE-2026-56018 HIGH PATCH This Week

Uncontrolled memory consumption in the Perl module JavaScript::Minifier::XS before version 0.16 lets remote attackers exhaust a long-lived process's memory by repeatedly triggering minify() calls. The XS cleanup code frees only the NodeSet structures while leaking every per-token contents buffer (and the entire NodeSet on the empty-list early-return paths), so each invocation leaks heap memory until the process is OOM-killed. CISA's SSVC marks exploitation as automatable with partial technical impact; no public exploit has been identified and it is not in CISA KEV, though the leak is trivially reachable in any service that minifies attacker-supplied JavaScript.

Denial Of Service JavaScript
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-56017 HIGH PATCH This Week

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.

Denial Of Service Null Pointer Dereference JavaScript
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-22206 npm CRITICAL PATCH This Week

Clerk helps developers build user management. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Privilege Escalation JavaScript
NVD GitHub
CVSS 3.1
9.0
EPSS
0.3%
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Uncontrolled memory consumption in the Perl module JavaScript::Minifier::XS before version 0.16 lets remote attackers exhaust a long-lived process's memory by repeatedly triggering minify() calls. The XS cleanup code frees only the NodeSet structures while leaking every per-token contents buffer (and the entire NodeSet on the empty-list early-return paths), so each invocation leaks heap memory until the process is OOM-killed. CISA's SSVC marks exploitation as automatable with partial technical impact; no public exploit has been identified and it is not in CISA KEV, though the leak is trivially reachable in any service that minifies attacker-supplied JavaScript.

Denial Of Service JavaScript
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.

Denial Of Service Null Pointer Dereference JavaScript
NVD VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH This Week

Clerk helps developers build user management. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Privilege Escalation JavaScript
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy