Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <172fabf2-e864-4c9f-8493-5206b529a4ee@cpansec.org>
Date: Mon, 29 Jun 2026 20:40:11 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-56017: JavaScript::Minifier::XS versions before 0.16 for
 Perl crash with a NULL pointer dereference when the first meaningful token of
 the input is a slash


========================================================================
CVE-2026-56017                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-56017
   Distribution:  JavaScript-Minifier-XS
       Versions:  before 0.16

       MetaCPAN:  https://metacpan.org/dist/JavaScript-Minifier-XS
       VCS Repo: https://github.com/bleargh45/JavaScript-Minifier-XS


JavaScript::Minifier::XS versions before 0.16 for Perl crash with a
NULL pointer dereference when the first meaningful token of the input
is a slash

Description
-----------
JavaScript::Minifier::XS versions before 0.16 for Perl crash with a
NULL pointer dereference when the first meaningful token of the input
is a slash.

The regexp versus division disambiguator in JsTokenizeString (XS.xs)
inspects the previous token's last byte to choose between a regexp
literal and a division operator. When a slash is the first meaningful
token, with the start of input or only whitespace and comments before
it, there is no valid preceding token: the walk back over whitespace
and comment nodes runs off the head of the node list to NULL, and the
byte lookup reads through a NULL contents pointer at an underflowed
length index. The following identifier check dereferences the same NULL
pointer.

The crash is reachable through the public minify() API, so input as
small as a single slash byte crashes the calling process. A service
that minifies untrusted or third-party JavaScript can be crashed by a
remote request, causing denial of service.

Problem types
-------------
- CWE-476 NULL Pointer Dereference
- CWE-125 Out-of-bounds Read

Solutions
---------
Upgrade to JavaScript::Minifier::XS version 0.16 or later.


References
----------
https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.