Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44427891-49fe-41d5-a763-12be8867cee9@cpansec.org>
Date: Fri, 17 Jul 2026 16:21:11 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-14741: HTTP::Date versions before 6.08 for Perl allow CPU
 exhaustion via polynomial regex backtracking in parse_date


========================================================================
CVE-2026-14741                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-14741
   Distribution:  HTTP-Date
       Versions:  before 6.08

       MetaCPAN:  https://metacpan.org/dist/HTTP-Date
       VCS Repo:  https://github.com/libwww-perl/HTTP-Date


HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via
polynomial regex backtracking in parse_date

Description
-----------
HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via
polynomial regex backtracking in parse_date.

parse_date() matches the date string against a chain of alternative
regexes, and str2time() delegates to it. Several of these patterns
place unbounded quantifiers next to each other before a trailing `\s*$`
anchor. A valid date prefix followed by a long interior run of digits,
letters, or whitespace and a single trailing byte that defeats the
final match forces the engine to repartition the run, giving polynomial
(about quadratic) backtracking. A header value of a few tens of
kilobytes runs for tens of seconds of CPU.

HTTP::Date parses timestamps such as HTTP `Date`, `Expires`, and
`Last-Modified` headers, which commonly originate from untrusted
sources. Any caller that passes an untrusted date header to str2time()
or parse_date() can be driven to consume unbounded CPU, a denial of
service.

Problem types
-------------
- CWE-1333 Inefficient Regular Expression Complexity

Solutions
---------
Upgrade to HTTP::Date 6.08 or later, which rejects input longer than 64
characters before the date-parsing regexes run.


References
----------
https://github.com/libwww-perl/HTTP-Date/commit/78c20952cdfbf11e03cf1199ad70f13298a84c5c.patch
https://github.com/libwww-perl/HTTP-Date/pull/33
https://metacpan.org/release/OALDERS/HTTP-Date-6.08/changes

Timeline
--------
- 2026-07-09: Version 6.08 released with the fix.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.