CVE-2026-14895
BAKERSCOT · String::Util
A regular expression denial of service (ReDoS) vulnerability in the trim and rtrim functions of the String::Util Perl module allows for CPU exhaustion via maliciously crafted inputs.
Executive summary
The String::Util Perl module is vulnerable to a regular expression denial of service (ReDoS) attack that can lead to significant resource exhaustion.
Vulnerability
This vulnerability is a regular expression denial of service (ReDoS) due to inefficient regular expression complexity (CWE-1333). Any caller that passes untrusted input to the trim or rtrim functions can trigger CPU exhaustion with a string containing a long run of whitespace. The attack vector is unauthenticated.
Business impact
The vulnerability carries a CVSS score of 7.5, classifying it as High severity. Successful exploitation results in a denial-of-service condition, which can render applications utilizing this library unresponsive or cause system-wide instability. This could lead to service downtime and potentially impact business continuity for applications relying on this utility for input sanitization.
Remediation
Immediate Action: Upgrade to version 1.36 or later immediately to incorporate the patch that resolves the inefficient regular expression complexity.
Proactive Monitoring: Monitor server CPU utilization and error logs for patterns indicative of resource exhaustion or abnormal processing times during input parsing.
Compensating Controls: Implement input length validation and rate limiting at the application gateway or firewall level to prevent excessively large or complex strings from reaching the vulnerable functions.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The vulnerability represents a clear risk to service availability. Administrators should prioritize upgrading to version 1.36 to eliminate the underlying regex inefficiency. Given the ease with which ReDoS can be triggered, timely patching is essential to ensure system stability.