CVE-2026-14895

BAKERSCOT · String::Util

A regular expression denial of service (ReDoS) vulnerability in the trim and rtrim functions of the String::Util Perl module allows for CPU exhaustion via maliciously crafted inputs.

Executive summary

The String::Util Perl module is vulnerable to a regular expression denial of service (ReDoS) attack that can lead to significant resource exhaustion.

Vulnerability

This vulnerability is a regular expression denial of service (ReDoS) due to inefficient regular expression complexity (CWE-1333). Any caller that passes untrusted input to the trim or rtrim functions can trigger CPU exhaustion with a string containing a long run of whitespace. The attack vector is unauthenticated.

Business impact

The vulnerability carries a CVSS score of 7.5, classifying it as High severity. Successful exploitation results in a denial-of-service condition, which can render applications utilizing this library unresponsive or cause system-wide instability. This could lead to service downtime and potentially impact business continuity for applications relying on this utility for input sanitization.

Remediation

Immediate Action: Upgrade to version 1.36 or later immediately to incorporate the patch that resolves the inefficient regular expression complexity.

Proactive Monitoring: Monitor server CPU utilization and error logs for patterns indicative of resource exhaustion or abnormal processing times during input parsing.

Compensating Controls: Implement input length validation and rate limiting at the application gateway or firewall level to prevent excessively large or complex strings from reaching the vulnerable functions.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The vulnerability represents a clear risk to service availability. Administrators should prioritize upgrading to version 1.36 to eliminate the underlying regex inefficiency. Given the ease with which ReDoS can be triggered, timely patching is essential to ensure system stability.