CVE-2026-14803 PUBLISHED

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder

Assigner: CPANSec
Reserved: 05.07.2026 Published: 06.07.2026 Updated: 06.07.2026

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder.

The pure-Perl decode path (_decode_value dispatching to _decode_array and _decode_object) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.

This path is the default when Cpanel::JSON::XS is not installed or MOJO_NO_JSON_XS=1 is set; the Cpanel::JSON::XS fast path is not affected.

Any caller that decodes an untrusted JSON body, for example Mojo::Message::json reached through $c->req->json, can exhaust process memory and cause denial of service.

Product Status

Vendor SRI
Product Mojo::JSON
Versions Default: unaffected
  • affected from 0 to 9.47 (excl.)

Workarounds

Where upgrading is not possible, install Cpanel::JSON::XS in the include path and leave MOJO_NO_JSON_XS unset.

Solutions

Upgrade to Mojolicious 9.47 or later.

References

Problem Types

  • CWE-674 Uncontrolled Recursion CWE