Back to overview

CVE-2026-14895

Description
String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service. The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex engine retries the match at each offset of a long whitespace run, producing quadratic backtracking. The fix replaces \s*$ with \s+$. Any caller that passes untrusted input to trim or rtrim can trigger CPU exhaustion with a string containing a long run of whitespace.

Metadata

CVE ID
CVE-2026-14895
State
PUBLISHED
Assigner
CPANSec
Reserved
2026-07-06 18:31 UTC
Published
2026-07-07 22:12 UTC
Last updated
2026-07-08 00:28 UTC
Primary CWE
CWE-1333
CWE-1333 Inefficient Regular Expression Complexity
Vendor / Product
BAKERSCOT / String::Util
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
BAKERSCOT String::Util 0 < 1.36
Weakness (CWE)
CWESourceDescription
CWE-1333 cna CWE-1333 Inefficient Regular Expression Complexity
Back to overview