Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3105 articles · 171987 vulns · 36/41 feeds (7d)
← Back to list
7.5
CVE-2026-56018EXPLOITEDPATCHED
perl · javascript::minifier::xs

JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth

Description

JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet. A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.

Affected Products

VendorProductVersions
perljavascript::minifier::xs0

References

  • https://github.com/bleargh45/JavaScript-Minifier-XS/issues/10(issue-tracking)
  • https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes(release-notes)

Related News (2 articles)

Tier C
VulDB7d ago
CVE-2026-56018 | GTERMARS JavaScript::Minifier::XS up to 0.15 on Perl Server-side Minifier Endpoint XS.xs minify memory leak (Issue 10)
→ No new info (linked only)
Tier C
oss-security7d ago
CVE-2026-56018: JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth
→ No new info (linked only)
CVSS 3.17.5 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
0.16
CWECWE-401, CWE-400
PublishedJun 29, 2026
Last enriched7d agov2
Trending Score21
Source articles2
Independent2
Info Completeness9/14
Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

NONECVE-2026-8450EXP
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
Trending: 69
HIGHCVE-2026-11625EXP
Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes
Trending: 28
MEDIUMCVE-2026-56017EXP
JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash
Trending: 19
NONECVE-2026-9698EXP
DBI versions before 1.648 for Perl saved errors in a limited-sized buffer
Trending: 18
HIGHCVE-2026-48962EXP
IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob
Trending: 13

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 29, 2026
Discovered by ZDM
Jun 29, 2026
Updated: severity, exploitAvailable, activelyExploited
Jun 29, 2026
Actively Exploited
Jun 29, 2026
Exploit Available
Jun 29, 2026
Patch Available
Jun 29, 2026

Version History

v2
Last enriched 7d ago
v2Tier C7d ago

Updated vendor to CPAN Security Group, product name to JavaScript-Minifier-XS, changed severity to HIGH, and marked exploit as available and actively exploited.

severityexploitAvailableactivelyExploited
via oss-security
v17d ago

Initial creation