CVE-2026-14895: String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service Robert Rothenberg 07 Jul 2026 22:13 UTC

========================================================================
CVE-2026-14895                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-14895
   Distribution:  String-Util
       Versions:  before 1.36

       MetaCPAN:  https://metacpan.org/dist/String-Util
       VCS Repo:  https://github.com/scottchiefbaker/String-Util

String::Util versions before 1.36 for Perl are susceptible to a regular
expression denial of service

Description
-----------
String::Util versions before 1.36 for Perl are susceptible to a regular
expression denial of service.

The trim and rtrim functions stripped trailing whitespace with
s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever
a non-whitespace character follows the whitespace, the regex engine
retries the match at each offset of a long whitespace run, producing
quadratic backtracking. The fix replaces \s*$ with \s+$.

Any caller that passes untrusted input to trim or rtrim can trigger CPU
exhaustion with a string containing a long run of whitespace.

Problem types
-------------
- CWE-1333 Inefficient Regular Expression Complexity

Workarounds
-----------
For deployments that cannot upgrade, enforce a maximum length on
strings before passing them to the trim and rtrim functions.

Note that the HTML form field maxlength attribute is only enforced
client-side.

Solutions
---------
Upgrade to version 1.36 or later.

References
----------
https://github.com/scottchiefbaker/String-Util/commit/f8150867aaeb8f57c59601aefb2193f2caed8745.patch
https://metacpan.org/release/BAKERSCOT/String-Util-1.36/diff/BAKERSCOT/String-Util-1.35#lib/String/Util.pm
https://github.com/scottchiefbaker/String-Util/releases