login
CVE-2025-40928: JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact Stig Palmquist 08 Sep 2025 15:11 UTC 
========================================================================
CVE-2025-40928                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2025-40928
  Distribution:  JSON-XS
      Versions:  before 4.04

      MetaCPAN:  https://metacpan.org/dist/JSON-XS
      VCS Repo:  https://cvs.schmorp.de/JSON-XS/

JSON::XS before version 4.04 for Perl has an integer buffer overflow
causing a segfault when parsing crafted JSON, enabling
denial-of-service attacks or other unspecified impact

Description
-----------
JSON::XS before version 4.04 for Perl has an integer buffer overflow
causing a segfault when parsing crafted JSON, enabling
denial-of-service attacks or other unspecified impact

Problem types
-------------
- CWE-122 Heap-based Buffer Overflow

Solutions
---------
Update to 4.04, or apply the provided patch

References
----------
https://metacpan.org/release/MLEHMANN/JSON-XS-4.03/source/XS.xs#L256
https://security.metacpan.org/patches/J/JSON-XS/4.03/CVE-2025-40928-r1.patch

Credits
-------
Michael Hudak of rasotec, reporter