JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

No data.

No data.

No data.

References
Link Providers
http://www.openwall.com/lists/oss-security/2025/09/08/2 cve-icon
https://lists.debian.org/debian-lts-announce/2025/09/msg00033.html cve-icon
https://metacpan.org/release/MLEHMANN/JSON-XS-4.03/source/XS.xs#L256 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-40928 cve-icon
https://security.metacpan.org/patches/J/JSON-XS/4.03/CVE-2025-40928-r1.patch cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-40928 cve-icon
History

Tue, 04 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Sep 2025 00:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 08 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Description JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact
Title JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact
Weaknesses CWE-122
References
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2025-09-08T15:08:21.860Z

Updated: 2025-11-04T21:10:22.058Z

Reserved: 2025-04-16T09:05:34.363Z

Link: CVE-2025-40928

cve-icon Vulnrichment

Updated: 2025-11-04T21:10:22.058Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-09-08T15:15:35.810

Modified: 2025-11-04T22:16:12.510

Link: CVE-2025-40928

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-08T15:08:21Z

Links: CVE-2025-40928 - Bugzilla