{"api_version":"1","generated_at":"2026-06-30T05:11:53+00:00","cve":"CVE-2026-56017","urls":{"html":"https://cve.report/CVE-2026-56017","api":"https://cve.report/api/cve/CVE-2026-56017.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-56017","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-56017"},"summary":{"title":"JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash","description":"JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash.\n\nThe regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer.\n\nThe crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.","state":"PUBLISHED","assigner":"CPANSec","published_at":"2026-06-29 20:17:39","updated_at":"2026-06-29 23:16:43"},"problem_types":["CWE-125","CWE-476","CWE-476 CWE-476 NULL Pointer Dereference","CWE-125 CWE-125 Out-of-bounds Read"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/06/29/16","name":"http://www.openwall.com/lists/oss-security/2026/06/29/16","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes","name":"https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-56017","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56017","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"GTERMARS","product":"JavaScript::Minifier::XS","version":"affected 0.16 custom","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Upgrade to JavaScript::Minifier::XS version 0.16 or later.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-56017","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-29T20:54:26.731930Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-29T20:55:00.530Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2026-06-29T22:24:35.943Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/06/29/16"}],"title":"CVE Program Container"}],"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"JavaScript-Minifier-XS","product":"JavaScript::Minifier::XS","programFiles":["XS.xs"],"programRoutines":[{"name":"JsTokenizeString"}],"repo":"https://github.com/bleargh45/JavaScript-Minifier-XS","vendor":"GTERMARS","versions":[{"lessThan":"0.16","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash.\n\nThe regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer.\n\nThe crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-125","description":"CWE-125 Out-of-bounds Read","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-29T19:38:14.599Z","orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec"},"references":[{"tags":["release-notes"],"url":"https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes"}],"solutions":[{"lang":"en","value":"Upgrade to JavaScript::Minifier::XS version 0.16 or later."}],"source":{"discovery":"UNKNOWN"},"title":"JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash","x_generator":{"engine":"cpansec-cna-tool 0.1"}}},"cveMetadata":{"assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","assignerShortName":"CPANSec","cveId":"CVE-2026-56017","datePublished":"2026-06-29T19:38:14.599Z","dateReserved":"2026-06-18T11:27:09.117Z","dateUpdated":"2026-06-29T22:24:35.943Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-29 20:17:39","lastModifiedDate":"2026-06-29 23:16:43","problem_types":["CWE-125","CWE-476","CWE-476 CWE-476 NULL Pointer Dereference","CWE-125 CWE-125 Out-of-bounds Read"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-29T20:54:26.731930Z","id":"CVE-2026-56017","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"56017","Ordinal":"1","Title":"JavaScript::Minifier::XS versions before 0.16 for Perl crash wit","CVE":"CVE-2026-56017","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"56017","Ordinal":"1","NoteData":"JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash.\n\nThe regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer.\n\nThe crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.","Type":"Description","Title":"JavaScript::Minifier::XS versions before 0.16 for Perl crash wit"}]}}}