CVE-2025-40929: Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

CVE-2025-40929: Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact Stig Palmquist 08 Sep 2025 15:12 UTC

========================================================================
CVE-2025-40929                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2025-40929
  Distribution:  Cpanel-JSON-XS
      Versions:  before 4.40

      MetaCPAN:  https://metacpan.org/dist/Cpanel-JSON-XS
      VCS Repo:  https://github.com/rurban/Cpanel-JSON-XS

Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer
overflow causing a segfault when parsing crafted JSON, enabling
denial-of-service attacks or other unspecified impact

Description
-----------
Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer
overflow causing a segfault when parsing crafted JSON, enabling
denial-of-service attacks or other unspecified impact

Problem types
-------------
- CWE-122 Heap-based Buffer Overflow

Solutions
---------
Update to 4.40 or later, or apply the provided patch

References
----------
https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.39/source/XS.xs#L713
https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.40/changes
https://github.com/rurban/Cpanel-JSON-XS/commit/378236219eaa35742c3962ecbdee364903b0a1f2.patch

Credits
-------
Michael Hudak of rasotec, reporter