The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.
This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected.
Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.
Project Subscriptions
No data.
No advisories yet.
Solution
Upgrade to Mojolicious 9.47 or later.
Workaround
Where upgrading is not possible, install Cpanel::JSON::XS in the include path and leave `MOJO_NO_JSON_XS` unset.
Mon, 06 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Mon, 06 Jul 2026 02:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service. | |
| Title | Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder | |
| Weaknesses | CWE-674 | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-07-06T18:51:14.358Z
Reserved: 2026-07-05T21:23:29.979Z
Link: CVE-2026-14803
Updated: 2026-07-06T05:27:01.702Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-06T08:15:11Z