CVE-2026-14803: Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder Stig Palmquist 06 Jul 2026 01:38 UTC

========================================================================
CVE-2026-14803                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-14803
  Distribution:  Mojolicious
      Versions:  before 9.47

      MetaCPAN:  https://metacpan.org/dist/Mojolicious
      VCS Repo:  https://github.com/mojolicious/mojo

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via
unbounded recursion in the pure-Perl decoder

Description
-----------
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via
unbounded recursion in the pure-Perl decoder.

The pure-Perl decode path (`_decode_value` dispatching to
`_decode_array` and `_decode_object`) recurses with no depth limit, so
a small deeply nested JSON document can consume excessive memory.

This path is the default when Cpanel::JSON::XS is not installed or
`MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not
affected.

Any caller that decodes an untrusted JSON body, for example
`Mojo::Message::json` reached through `$c->req->json`, can exhaust
process memory and cause denial of service.

Problem types
-------------
- CWE-674 Uncontrolled Recursion

Workarounds
-----------
Where upgrading is not possible, install Cpanel::JSON::XS in the
include path and leave `MOJO_NO_JSON_XS` unset.

Solutions
---------
Upgrade to Mojolicious 9.47 or later.

References
----------
https://github.com/mojolicious/mojo/commit/cc38b0554275c4d84f6b8b49bcbbc1bec2068fe1.patch
https://metacpan.org/release/SRI/Mojolicious-9.47/changes

Timeline
--------
- 2026-07-05: Version 9.47 released with fix.