CVE Catalog

CVE-2026-56018

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.61%

45th percentile — higher than 45% of all known CVEs

Summary

A vulnerability in JavaScript::Minifier::XS for Perl before version 0.16 causes memory leaks on every call to minify(). The cleanup function only frees NodeSet structures but not per-token content buffers, leading to unbounded memory growth.

Risk Assessment

Long-lived processes such as asset pipelines or server-side minifier endpoints will gradually exhaust available memory, potentially causing denial of service (DoS) and system crashes.

Recommendation

Immediately upgrade JavaScript::Minifier::XS to version 0.16 or later. If upgrading is not possible, limit the number of minify() calls or periodically restart the process.

Original NVD description (English source)

JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet. A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS