HIGH 7.3

CVE-2026-9334: Type Confusion in Cpanel::JSON::XS Perl Module

CVE-2026-9334 is a type-confusion vulnerability in Cpanel::JSON::XS (a Perl JSON parsing library) that occurs when a specific feature called dupkeys_as_arrayref is enabled. When decoding JSON with duplicate object keys, the library crashes and attempts to dereference attacker-controlled data as a pointer. An attacker can exploit this by sending crafted JSON to any application using this library with the vulnerable setting enabled, potentially leading to denial of service or information disclosure.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-843
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference. A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the decode_hv() function within Cpanel::JSON::XS versions before 4.41. When dupkeys_as_arrayref mode is enabled, the code handles duplicate keys by converting them into array references. However, a logic error in the type-checking branch fails to validate that a value is a reference before dereferencing it via SvRV(). Specifically, the condition `SvTYPE(old_value) != SVt_RV && SvTYPE(SvRV(old_value)) != SVt_PVAV` evaluates SvRV(old_value) even when old_value is a plain scalar, not a reference. This causes the interpreter to dereference attacker-controlled scalar data as a pointer, leading to out-of-bounds memory access classified under CWE-843 (Type Confusion).

Business impact

Any Perl-based application or service that parses untrusted JSON using Cpanel::JSON::XS with dupkeys_as_arrayref enabled faces immediate risk. The vulnerability can be triggered remotely without authentication, causing application crashes and potential data leakage. For organizations running Perl microservices, APIs, or data processing pipelines that accept external JSON input, this represents a significant availability and confidentiality threat. The attack surface is broad: web frameworks, API gateways, message queue consumers, and batch processors all may be affected if they use this library with the vulnerable setting.

Affected systems

Cpanel::JSON::XS versions prior to 4.41 are vulnerable. The issue is present in the Perl module maintained by rurban. Any system running an affected version with dupkeys_as_arrayref mode explicitly enabled during JSON decoding is at risk. The vulnerability does not affect default configurations where this option is disabled. Organizations should audit their Perl dependencies and JSON decoder configurations to identify exposure.

Exploitability

Exploitability is high. The vulnerability requires no authentication, no user interaction, and can be triggered over the network by sending a specially crafted JSON payload with duplicate keys to any application that parses it. The attacker only needs knowledge that the target uses this library with dupkeys_as_arrayref enabled—a setting that may be non-obvious from external observation. Once triggered, the crash is reliable and the pointer dereference is deterministic, making it a practical attack vector for both denial of service and information leakage.

Remediation

Upgrade Cpanel::JSON::XS to version 4.41 or later immediately. Organizations unable to patch urgently should disable the dupkeys_as_arrayref option if the application logic permits, reverting to standard duplicate-key handling. Review JSON parsing code to confirm whether dupkeys_as_arrayref is actually needed for business requirements; in many cases it is not the default and can be safely disabled. Test patches in a staging environment to ensure compatibility before production deployment.

Patch guidance

Update Cpabel::JSON::XS from your package manager (CPAN, apt, yum, etc.) to version 4.41 or higher. Verify the update by checking the installed version with `perl -MCpanel::JSON::XS -e 'print $Cpanel::JSON::XS::VERSION'`. If your application explicitly passes dupkeys_as_arrayref => 1 to the decoder, confirm that the patched version resolves the crash during testing. Regression testing should include JSON payloads with duplicate keys to ensure the fix does not alter expected behavior.

Detection guidance

Monitor Perl application logs for segmentation faults or memory access violations coinciding with JSON parsing. If dupkeys_as_arrayref is in use, enable detailed logging of JSON input to identify patterns in crash-inducing payloads. Network-based detection is challenging without payload inspection; focus on identifying which systems run Cpanel::JSON::XS via dependency scanning and inventory tools. Check application dependencies with `cpanm -n --json Cpanel::JSON::XS` or equivalent to list installed version numbers across your infrastructure.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS score (7.3), unauthenticated network exploitability, and potential for both denial of service and information disclosure. The attack surface spans any Perl application parsing untrusted JSON, and exploitation is straightforward. While the dupkeys_as_arrayref setting is not universal, its presence in production systems cannot be assumed to be rare given the variety of legacy and custom Perl codebases in use.

Risk score, explained

CVE-2026-9334 carries a CVSS 3.1 score of 7.3 (HIGH) due to network accessibility (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and impact across confidentiality, integrity, and availability (C:L, I:L, A:L). The score reflects a remotely exploitable crash with data exposure risk, but does not reach CRITICAL because the impact is partial and requires the dupkeys_as_arrayref option to be explicitly enabled—a deployment-dependent factor that limits ubiquitous exposure.

Frequently asked questions

Is my Perl application vulnerable if I use Cpanel::JSON::XS but don't explicitly enable dupkeys_as_arrayref?

No. The vulnerability only manifests when dupkeys_as_arrayref is explicitly enabled during JSON decoder initialization. If your code does not pass this option, or if your version is 4.41 or later, you are not affected. Review your JSON decoder instantiation code to confirm.

Can this vulnerability be exploited without sending JSON?

No. The vulnerability is triggered only during JSON parsing when duplicate keys are present and dupkeys_as_arrayref mode is active. The attacker must craft a malicious JSON payload and ensure it reaches your application's JSON decoder.

What is dupkeys_as_arrayref and why would an application use it?

dupkeys_as_arrayref is an option that instructs the JSON decoder to convert duplicate object keys into an array reference instead of silently overwriting the first value. This is useful for applications that need to preserve all values associated with duplicate keys (a rare but valid use case in some data transformation pipelines). Most applications do not use this option and are therefore not vulnerable.

Does upgrading to 4.41 break existing functionality?

Upgrading fixes the crash and corrects the type-confusion logic, but does not change the intended behavior of dupkeys_as_arrayref. Applications relying on this feature should continue to work correctly with the patched version. Always test in a non-production environment first to confirm compatibility with your specific use case.

This analysis is based on published vulnerability data and vendor documentation current as of the analysis date. Organizations should verify patch availability and version applicability against official Cpanel and CPAN repositories before deploying updates. This vulnerability assessment does not constitute legal or compliance advice. Testing should always be performed in a non-production environment before production rollout. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends consultation with your security team for environment-specific risk assessment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).