Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4e6307d9-6dca-4924-aacd-a27f3b34070a@cpansec.org>
Date: Tue, 7 Jul 2026 23:13:16 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-14895: String::Util versions before 1.36 for Perl are
 susceptible to a regular expression denial of service


========================================================================
CVE-2026-14895                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-14895
   Distribution:  String-Util
       Versions:  before 1.36

       MetaCPAN:  https://metacpan.org/dist/String-Util
       VCS Repo:  https://github.com/scottchiefbaker/String-Util


String::Util versions before 1.36 for Perl are susceptible to a regular
expression denial of service

Description
-----------
String::Util versions before 1.36 for Perl are susceptible to a regular
expression denial of service.

The trim and rtrim functions stripped trailing whitespace with
s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever
a non-whitespace character follows the whitespace, the regex engine
retries the match at each offset of a long whitespace run, producing
quadratic backtracking. The fix replaces \s*$ with \s+$.

Any caller that passes untrusted input to trim or rtrim can trigger CPU
exhaustion with a string containing a long run of whitespace.

Problem types
-------------
- CWE-1333 Inefficient Regular Expression Complexity

Workarounds
-----------
For deployments that cannot upgrade, enforce a maximum length on
strings before passing them to the trim and rtrim functions.

Note that the HTML form field maxlength attribute is only enforced
client-side.


Solutions
---------
Upgrade to version 1.36 or later.


References
----------
https://github.com/scottchiefbaker/String-Util/commit/f8150867aaeb8f57c59601aefb2193f2caed8745.patch
https://metacpan.org/release/BAKERSCOT/String-Util-1.36/diff/BAKERSCOT/String-Util-1.35#lib/String/Util.pm
https://github.com/scottchiefbaker/String-Util/releases



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.