CVE-2026-14803
Publication date 6 July 2026
Last updated 6 July 2026
Ubuntu priority
Description
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libmojolicious-perl | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-14803
- https://lists.security.metacpan.org/cve-announce/msg/41564627/
- https://github.com/mojolicious/mojo/commit/cc38b0554275c4d84f6b8b49bcbbc1bec2068fe1.patch
- https://metacpan.org/release/SRI/Mojolicious-9.47/changes
- http://www.openwall.com/lists/oss-security/2026/07/06/2