๐Ÿ” CVE Alert

CVE-2026-14803

MEDIUM 6.5

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder

CVSS Score
6.5
EPSS Score
0.2%
EPSS Percentile
8th

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.

CWE CWE-674
Vendor sri
Product mojo::json
Published Jul 6, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for sri mojo::json

Be the first to know when new medium vulnerabilities affecting sri mojo::json are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

SRI / Mojo::JSON
0 < 9.47

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/mojolicious/mojo/commit/cc38b0554275c4d84f6b8b49bcbbc1bec2068fe1.patch metacpan.org: https://metacpan.org/release/SRI/Mojolicious-9.47/changes openwall.com: http://www.openwall.com/lists/oss-security/2026/07/06/2