CVE-2026-9516: Cpanel::JSON::XS Denial of Service via UTF-8 BOM and Filter Callbacks
Cpanel::JSON::XS, a popular Perl library for JSON processing, contains a vulnerability that can crash applications when they process JSON documents that start with a UTF-8 byte order mark (BOM) and use callback filters during decoding. The issue stems from incorrect memory pointer management: when a decode filter throws an exception, the library fails to properly restore the input scalar's internal pointer, leaving it in an invalid state. This corrupted state causes a crash when the memory is eventually freed. An attacker can trigger this denial of service by sending a specially crafted JSON document to any application using the vulnerable library with filtering enabled.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-755, CWE-763
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length. When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the BOM-handling code path of Cpanel::JSON::XS versions prior to 4.41. The decode_json() function uses SvPV_set() to advance a Perl scalar's string pointer past the 3-byte UTF-8 BOM (0xEF 0xBB 0xBF). Under normal execution, the pointer is restored before returning. However, when a filter callback (such as filter_json_object) throws a Perl exception via croak(), the exception unwinds the stack without executing the restoration code. The scalar is left with its internal pointer offset into its buffer and its length field shortened, creating an invalid heap state. When Perl's memory allocator later frees this scalar, it receives a corrupted pointer, causing an interpreter abort. The defect is classified under CWE-755 (Improper Handling of Exceptional Conditions) and CWE-763 (Release of Invalid Pointer or Reference).
Business impact
Organizations running Perl applications that consume JSON data using Cpanel::JSON::XS with custom filter callbacks face immediate availability risk. A remote attacker can reliably crash the application by sending JSON with a BOM prefix, resulting in service disruption. This is particularly impactful for APIs, data processing pipelines, and microservices that parse untrusted JSON. The high CVSS score (7.5) reflects the ease of exploitation and complete loss of availability, though confidentiality and integrity are not affected.
Affected systems
Cpanel::JSON::XS versions before 4.41 are vulnerable. The library is widely used in Perl ecosystems for JSON serialization and deserialization. Any Perl application or script using the affected versions with filter callbacks enabled is at risk. This includes web applications, ETL processes, message queue consumers, and any service that parses JSON with custom validation or transformation logic.
Exploitability
Exploitation is trivial and requires no special privileges. An attacker needs only to craft a JSON payload beginning with a UTF-8 BOM (three bytes: 0xEF 0xBB 0xBF) and deliver it to an application that decodes it with a filter callback. No user interaction is required; network-accessible services are exploitable remotely. The barrier to exploitation is low, making this a practical denial-of-service vector for anyone able to send JSON to a vulnerable application.
Remediation
Upgrade Cpanel::JSON::XS to version 4.41 or later. This version corrects the pointer restoration logic to ensure the scalar's state is properly restored even when exceptions occur during decoding. Administrators should prioritize patching Perl environments that rely on JSON processing with filters, particularly in production systems handling external data sources.
Patch guidance
Consult the vendor advisory and CPAN release notes for Cpanel::JSON::XS version 4.41 to verify patch details and any compatibility notes. Typical update procedures involve using cpanm, CPAN shell, or your distribution's package manager (e.g., apt, yum) to upgrade the module. Test the upgrade in a non-production environment first, as Perl module updates can occasionally interact unexpectedly with locally customized code. Verify that your application's filter callbacks still execute correctly after patching.
Detection guidance
Monitor Perl application logs and system error logs for unexpected crashes or interpreter aborts, particularly those mentioning memory allocation failures or invalid pointers. If possible, review application input handling to identify services accepting JSON with BOM prefixes or that use filter callbacks in JSON decoding. Scan deployed Perl environments using cpan or local package tools to identify instances of Cpanel::JSON::XS versions below 4.41. Perform code reviews of Perl scripts and modules to determine which ones employ JSON filtering logic.
Why prioritize this
This vulnerability merits high priority because it combines trivial exploitability, wide applicability, and reliable impact. Any exposed Perl service using the vulnerable library with filters can be crashed by a remote, unauthenticated attacker without special conditions. The high CVSS score and ease of reproduction mean it should be remediated promptly in production environments, especially those handling untrusted input.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects: an Attack Vector of Network (AV:N), requiring no authentication (PR:N) or user interaction (UI:N), with Attack Complexity of Low (AC:L). The impact is limited to Availability (A:H), with no effect on Confidentiality or Integrity. The HIGH severity underscores the practical ease of causing denial of service, though the absence of data exfiltration or integrity loss prevents a CRITICAL rating.
Frequently asked questions
Does this vulnerability affect all uses of Cpanel::JSON::XS, or only those with filter callbacks?
Only applications that use filter callbacks (such as filter_json_object or filter_json_single_key_object) during JSON decoding are vulnerable. Standard decode_json() calls without filters are not affected, as the exception path that triggers the bug is not exercised.
Can an attacker exploit this vulnerability if the JSON input doesn't contain a UTF-8 BOM?
No. The vulnerability specifically requires the input to begin with a UTF-8 BOM (0xEF 0xBB 0xBF). JSON without a BOM will not trigger the vulnerable code path, even if a filter callback throws.
What is the recommended upgrade path for organizations running older Perl distributions?
Upgrade Cpanel::JSON::XS to version 4.41 or later using your Perl package manager (cpanm, apt, yum, etc.). If you cannot immediately upgrade, consider disabling or refactoring any JSON filter callbacks until the patch is available, or validate and strip BOM prefixes in application code before passing data to the decoder.
Does the vulnerability require the attacker to be authenticated or have special access to the application?
No. This is a network-accessible, unauthenticated denial-of-service vulnerability. Any attacker capable of sending JSON data to a vulnerable application (e.g., via HTTP POST, message queue, or file upload) can trigger the crash.
This analysis is provided for informational purposes to help security teams understand and prioritize remediation efforts. All factual claims regarding affected versions, patch availability, and technical details are based on the vendor advisory and CVE record. Organizations should verify patch version numbers and compatibility against official vendor sources before deployment. No exploit code or weaponized proof-of-concept is included; this content is intended for defensive purposes only. SEC.co assumes no liability for damages arising from the application or misapplication of this guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46116HIGHLinux Kernel xfrm_state Use-After-Free – Privilege Escalation Risk
- CVE-2026-48524LOWPyJWT Denial of Service via Unlimited JWKS Requests
- CVE-2026-9334HIGHType Confusion in Cpanel::JSON::XS Perl Module
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)