String
Monthly
Regular-expression denial of service in the String::Util Perl module (versions before 1.36) lets remote unauthenticated attackers exhaust CPU by supplying a string with a long run of whitespace to the trim or rtrim functions. The vulnerable `s/\s*$//u` pattern backtracks quadratically over whitespace runs, so any application feeding untrusted input through these helpers is exposed. No public exploit code has been identified; EPSS is low (0.19%, 9th percentile) and the flaw is not on CISA KEV, indicating no observed active exploitation.
String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Regular-expression denial of service in the String::Util Perl module (versions before 1.36) lets remote unauthenticated attackers exhaust CPU by supplying a string with a long run of whitespace to the trim or rtrim functions. The vulnerable `s/\s*$//u` pattern backtracks quadratically over whitespace runs, so any application feeding untrusted input through these helpers is exposed. No public exploit code has been identified; EPSS is low (0.19%, 9th percentile) and the flaw is not on CISA KEV, indicating no observed active exploitation.
String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.