{"id":"CVE-2026-14895","summary":"String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service","details":"String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service.\n\nThe trim and rtrim functions stripped trailing whitespace with s/\\s*$//u. Because \\s* matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex engine retries the match at each offset of a long whitespace run, producing quadratic backtracking. The fix replaces \\s*$ with \\s+$.\n\nAny caller that passes untrusted input to trim or rtrim can trigger CPU exhaustion with a string containing a long run of whitespace.","modified":"2026-07-09T04:01:17.184262701Z","published":"2026-07-07T22:12:22.460Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14895.json","cna_assigner":"CPANSec","cwe_ids":["CWE-1333"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/07/07/18"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"WEB","url":"https://metacpan.org/release/BAKERSCOT/String-Util-1.36/diff/BAKERSCOT/String-Util-1.35#lib/String/Util.pm"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14895.json"},{"type":"ADVISORY","url":"https://github.com/scottchiefbaker/String-Util/releases"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-14895"},{"type":"FIX","url":"https://github.com/scottchiefbaker/String-Util/commit/f8150867aaeb8f57c59601aefb2193f2caed8745.patch"},{"type":"PACKAGE","url":"https://github.com/scottchiefbaker/String-Util"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/scottchiefbaker/string-util","events":[{"introduced":"0"},{"fixed":"0f1fcf8882c9eaa49703a8ecaf479fe48ee86b6d"},{"fixed":"f8150867aaeb8f57c59601aefb2193f2caed8745"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.36"}]}}],"versions":["v1.35","v1.34","v1.33","1.32","1.31","1.30","v1.30","stable","gitpan_version/1.24","cpan_version/1.24","cpan_path/MIKO/String-Util-1.24.tar.gz","MIKO","gitpan_version/1.23","cpan_version/1.23","cpan_path/MIKO/String-Util-1.23.tar.gz","gitpan_version/1.01","cpan_version/1.01","cpan_path/MIKO/String-Util-1.01.tar.gz","gitpan_version/1.20","cpan_version/1.20","cpan_path/MIKO/String-Util-1.20.tar.gz","gitpan_version/1.21","cpan_version/1.21","cpan_path/MIKO/String-Util-1.21.tar.gz","gitpan_version/1.22","cpan_version/1.22","cpan_path/MIKO/String-Util-1.22.tar.gz"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14895.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}