Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3105 articles · 171987 vulns · 36/41 feeds (7d)
← Back to list
0.0
CVE-2026-56017EXPLOITEDPATCHED
perl · javascript::minifier::xs

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash

Description

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.

Affected Products

VendorProductVersions
perljavascript::minifier::xs0, 0.15

References

  • https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes(release-notes)

Related News (2 articles)

Tier C
VulDB7d ago
CVE-2026-56017 | GTERMARS JavaScript::Minifier::XS up to 0.15 on Perl XS.xs minify null pointer dereference
→ No new info (linked only)
Tier C
oss-security7d ago
CVE-2026-56017: JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash
→ No new info (linked only)
CVSS 3.10.0 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
0.16
CWECWE-476, CWE-125
PublishedJun 29, 2026
Last enriched7d agov3
Trending Score19
Source articles2
Independent2
Info Completeness10/14
Missing: epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

NONECVE-2026-8450EXP
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
Trending: 69
HIGHCVE-2026-11625EXP
Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes
Trending: 28
HIGHCVE-2026-56018EXP
JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth
Trending: 21
NONECVE-2026-9698EXP
DBI versions before 1.648 for Perl saved errors in a limited-sized buffer
Trending: 18
HIGHCVE-2026-48962EXP
IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob
Trending: 13

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 29, 2026
Discovered by ZDM
Jun 29, 2026
Updated: severity, exploitAvailable, activelyExploited
Jun 29, 2026
Actively Exploited
Jun 29, 2026
Exploit Available
Jun 29, 2026
Patch Available
Jun 29, 2026
Updated: affectedVersions, severity, cvssEstimate
Jun 29, 2026

Version History

v3
Last enriched 7d ago
v3Tier C7d ago

Updated vendor to GTERMARS, product to JavaScript::Minifier::XS, affected versions to 0.15, severity to MEDIUM, and noted no exploit available.

affectedVersionsseveritycvssEstimate
via VulDB
v2Tier C7d ago

Updated vendor to 'gtermars', product to 'JavaScript-Minifier-XS', severity to 'HIGH', and marked exploit as available and actively exploited.

severityexploitAvailableactivelyExploited
via oss-security
v17d ago

Initial creation