CVE Vulnerabilities

CVE-2026-14803

Uncontrolled Recursion

Published: Jul 06, 2026 | Modified: Jul 06, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder.

The pure-Perl decode path (_decode_value dispatching to _decode_array and _decode_object) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.

This path is the default when Cpanel::JSON::XS is not installed or MOJO_NO_JSON_XS=1 is set; the Cpanel::JSON::XS fast path is not affected.

Any caller that decodes an untrusted JSON body, for example Mojo::Message::json reached through $c->req->json, can exhaust process memory and cause denial of service.

Weakness

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software

NameVendorStart VersionEnd Version
Libmojolicious-perlUbuntuquesting*

Potential Mitigations

References