CVE-2026-14895 PUBLISHED

String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service

Assigner: CPANSec
Reserved: 06.07.2026 Published: 07.07.2026 Updated: 08.07.2026

String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service.

The trim and rtrim functions stripped trailing whitespace with s/\s$//u. Because \s matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex engine retries the match at each offset of a long whitespace run, producing quadratic backtracking. The fix replaces \s*$ with \s+$.

Any caller that passes untrusted input to trim or rtrim can trigger CPU exhaustion with a string containing a long run of whitespace.

Product Status

Vendor BAKERSCOT
Product String::Util
Versions Default: unaffected
  • affected from 0 to 1.36 (excl.)

Workarounds

For deployments that cannot upgrade, enforce a maximum length on strings before passing them to the trim and rtrim functions.

Note that the HTML form field maxlength attribute is only enforced client-side.

Solutions

Upgrade to version 1.36 or later.

References

Problem Types

  • CWE-1333 Inefficient Regular Expression Complexity CWE