Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-56018
PUBLISHED
More InfoOfficial Page
Assigner-CPANSec
Assigner Org ID-9b29abf9-4ab0-4765-b253-1875cd9b441e
View Known Exploited Vulnerability (KEV) details
Published At-29 Jun, 2026 | 19:38
Updated At-29 Jun, 2026 | 22:24
Rejected At-
▼CVE Numbering Authority (CNA)
JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth

JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet. A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.

Affected Products
Vendor
GTERMARS
Product
JavaScript::Minifier::XS
Collection URL
https://cpan.org/modules
Package Name
JavaScript-Minifier-XS
Repo
https://github.com/bleargh45/JavaScript-Minifier-XS
Program Files
  • XS.xs
Program Routines
  • JsMinify
Default Status
unaffected
Versions
Affected
  • From 0 before 0.16 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-401CWE-401 Missing Release of Memory after Effective Lifetime
CWECWE-400CWE-400 Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-401
Description: CWE-401 Missing Release of Memory after Effective Lifetime
Type: CWE
CWE ID: CWE-400
Description: CWE-400 Uncontrolled Resource Consumption
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Upgrade to JavaScript::Minifier::XS version 0.16 or later.

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/bleargh45/JavaScript-Minifier-XS/issues/10
issue-tracking
https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes
release-notes
Hyperlink: https://github.com/bleargh45/JavaScript-Minifier-XS/issues/10
Resource:
issue-tracking
Hyperlink: https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes
Resource:
release-notes
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/06/29/17
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/06/29/17
Resource: N/A
Details not found