========================================================================
CVE-2026-14895                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-14895
  Distribution:  String-Util
      Versions:  before 1.36

      MetaCPAN:  https://metacpan.org/dist/String-Util
      VCS Repo:  https://github.com/scottchiefbaker/String-Util


String::Util versions before 1.36 for Perl are susceptible to a regular
expression denial of service

Description
-----------
String::Util versions before 1.36 for Perl are susceptible to a regular
expression denial of service.

The trim and rtrim functions stripped trailing whitespace with
s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever
a non-whitespace character follows the whitespace, the regex engine
retries the match at each offset of a long whitespace run, producing
quadratic backtracking. The fix replaces \s*$ with \s+$.

Any caller that passes untrusted input to trim or rtrim can trigger CPU
exhaustion with a string containing a long run of whitespace.

Problem types
-------------
- CWE-1333 Inefficient Regular Expression Complexity

Workarounds
-----------
For deployments that cannot upgrade, enforce a maximum length on
strings before passing them to the trim and rtrim functions.

Note that the HTML form field maxlength attribute is only enforced
client-side.


Solutions
---------
Upgrade to version 1.36 or later.


References
----------
https://github.com/scottchiefbaker/String-Util/commit/f8150867aaeb8f57c59601aefb2193f2caed8745.patch
https://metacpan.org/release/BAKERSCOT/String-Util-1.36/diff/BAKERSCOT/String-Util-1.35#lib/String/Util.pm
https://github.com/scottchiefbaker/String-Util/releases



Reply via email to