Source: libmojolicious-perl Version: 9.46+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libmojolicious-perl. CVE-2026-14803[0]: | Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via | unbounded recursion in the pure-Perl decoder. The pure-Perl decode | path (`_decode_value` dispatching to `_decode_array` and | `_decode_object`) recurses with no depth limit, so a small deeply | nested JSON document can consume excessive memory. This path is the | default when Cpanel::JSON::XS is not installed or | `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not | affected. Any caller that decodes an untrusted JSON body, for | example `Mojo::Message::json` reached through `$c->req->json`, can | exhaust process memory and cause denial of service. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-14803 https://www.cve.org/CVERecord?id=CVE-2026-14803 [1] https://lists.security.metacpan.org/cve-announce/msg/41564627/ [2] https://github.com/mojolicious/mojo/commit/cc38b0554275c4d84f6b8b49bcbbc1bec2068fe1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

