Critical Integer Overflow Vulnerabilities in Perl JSON Parsers

Overview A set of critical vulnerabilities (CVE-2025-40928, CVE-2025-40929, CVE-2025-40930) has been discovered in three high-performance JSON parsers for the Perl programming language. These vulnerabilities are all integer buffer overflows that can be triggered by parsing a specially crafted JSON string, leading to a segmentation fault (segfault) and a crash of the Perl interpreter. This enables Denial-of-Service (DoS) attacks. The "unspecified other impact" suggests the potential for more severe consequences, such as arbitrary code execution, under specific memory layouts and compiler conditions, though this is more difficult to achieve. 

All vulnerabilities were disclosed by CPANSec, the Perl equivalent of MITRE's CVE program, on September 8, 2025. 

---

Article 1: CVE-2025-40928 - JSON::XS

Affected Product: JSON::XS Vulnerable Versions: Before 4.04 Patched Version: 4.04 and later Perl Module Link: JSON::XS on MetaCPAN

Technical Detail: JSON::XS is a popular, high-performance JSON serializer/deserializer for Perl, based on the C library "libxsmm". The vulnerability resides in the C code that handles the parsing of JSON strings, specifically when calculating the required buffer size for a string containing a large number of Unicode escape sequences (e.g., \u0055).

The flaw is an integer overflow during this size calculation. When a JSON string contains an enormous number of these sequences, the calculation (number_of_escapes * something + original_length) can exceed the maximum value a 32-bit integer can hold (2,147,483,647), causing it to "wrap around" to a very small, negative number.

The code then allocates a memory buffer based on this now-tiny, incorrect size. When the parser subsequently attempts to write the fully unescaped string into this drastically undersized buffer, it writes past the end of the allocated memory. This corrupts adjacent memory structures and, when detected by the system, results in an immediate segmentation fault, crashing the entire Perl process.

Sample Scenario: Imagine a web application that uses a Perl backend with JSON::XS to process user-provided data, such as a form field for a "user bio."

1. Normal Operation: A user submits a bio: {"bio": "Hello, world!"}. The server parses this quickly and without issue.

2. Malicious Attack: An attacker submits a crafted JSON payload instead. The payload doesn't contain a normal string but one filled with hundreds of millions of Unicode escape sequences:

   {
    "bio": "\u0055\u0055\u0055\u0055\u0055\u0055...(repeated billions of times)..."
   }

3. Triggering the Vulnerability: The web application receives this payload and passes it to the decode_json() function from JSON::XS.

4. The Crash: The integer overflow occurs during buffer size calculation. The parser attempts to write data into a buffer that is far too small, causing a segfault. The Perl worker process (e.g., a CGI script, a mod_perl worker, or a Starman web server child) terminates abruptly.

5. Denial-of-Service: If this is a pre-forking web server, the crash kills one worker process. The attacker can send this request repeatedly. Each request kills another worker, eventually exhausting all available workers and making the website unresponsive to legitimate traffic.

Mitigation: Immediately update the JSON::XS module to version 4.04 or later.

cpanm JSON::XS
# or
cpan JSON::XS

If immediate update is impossible, implement strict input validation and size limits on incoming JSON data at the web server (e.g., Nginx's client_max_body_size) or application level before it reaches the JSON parser.

---

Article 2: CVE-2025-40929 - Cpanel::JSON::XS 

Affected Product: Cpanel::JSON::XS Vulnerable Versions: Before 4.40 Patched Version: 4.40 and later Perl Module Link: Cpanel::JSON::XS on MetaCPAN

Technical Detail: Cpanel::JSON::XS is a fork of JSON::XS, originally created for cPanel. It emphasizes security and reliability, often including bug fixes ahead of the original JSON::XS. Despite this, it was independently found to contain the same class of integer buffer overflow vulnerability.

The root cause is identical: a miscalculation of the required buffer size when processing a JSON string full of escape sequences, leading to an integer wrap-around, a buffer under-allocation, and a subsequent memory corruption and segfault.

Sample Scenario: Consider a multi-tenant SaaS platform where user configuration is stored as JSON in a database. The platform uses Cpanel::JSON::XS to read and write this configuration.

1. Normal Operation: A user saves their profile settings. The application serializes the Perl hashref into JSON and stores it without issue.
2. Malicious Attack: An attacker manages to inject a malicious JSON string into their configuration profile through a different API endpoint (e.g., by setting their display name to the crafted string if input validation is lacking).
3. Triggering the Vulnerability: Later, when the attacker views their profile or when a background job processes all user data, the application retrieves the malicious JSON from the database and passes it to Cpanel::JSON::XS::decode_json.
4. The Crash: The integer overflow is triggered. The process parsing the data—be it a web worker, a cron job, or an admin tool—crashes with a segfault.
5. Impact: This could disrupt background processing jobs or take down administrative panels that attempt to handle the corrupted user record. This is a persistent DoS, as the malicious payload sits in the database until manually removed.

Mitigation: Immediately update the Cpanel::JSON::XS module to version 4.40 or later.

cpanm Cpanel::JSON::XS

Additionally, always validate and sanitize data before storing it in a database, even if you trust your own application's serialization process. An attacker might find another vector to write data directly.

---

Article 3: CVE-2025-40930 - JSON::SIMD 

Affected Product: JSON::SIMD Vulnerable Versions: Before 1.07 Patched Version: 1.07 and later Perl Module Link: JSON::SIMD on MetaCPAN

Technical Detail: JSON::SIMD is another high-performance JSON parser for Perl. Its key differentiator is that it uses SIMD (Single Instruction, Multiple Data) CPU instructions (like SSE4.2 and AVX2) to achieve even greater parsing speeds. The vulnerability is, once again, a homologous integer buffer overflow in the underlying C library that handles the string unescaping logic.

Despite its advanced parsing techniques, the same fundamental error in arithmetic safety checks was present. The lack of bounds checking on the buffer size calculation made it susceptible to the same attack vector as its cousins.

Sample Scenario: Imagine a high-throughput data processing pipeline written in Perl, perhaps for parsing log files or messages from a message queue (e.g., RabbitMQ, Kafka) where each message is formatted in JSON. JSON::SIMD was chosen specifically for its speed advantages.

1. Normal Operation: The pipeline consumes thousands of valid JSON messages per second from a queue, parsing them and inserting the data into a data warehouse.
2. Malicious Attack: An attacker gains the ability to publish a message to the queue (e.g., due to a misconfiguration or a separate exploit). They publish a single message containing a value with the crafted long string of escape sequences.
3. Triggering the Vulnerability: A worker in the pipeline picks up this message and tries to parse it with JSON::SIMD.
4. The Crash: The parser crashes immediately on encountering the malicious string. The entire worker process dies.
5. Impact: In a modern distributed system, a process crash might trigger an automatic restart. However, the problematic message often gets put back on the queue (e.g., due to not being acknowledged). The restarted worker picks up the same malicious message and crashes again. This creates a crash loop, effectively halting the entire data pipeline until the poisonous message is identified and manually removed from the queue.

Mitigation: Immediately update the JSON::SIMD module to version 1.07 or later.

cpanm JSON::SIMD

For message processing systems, implement a "dead letter queue" to capture messages that repeatedly cause processing failures, preventing crash loops and allowing for analysis of the malicious payload.

---

General Conclusion and Best Practices

These three CVEs highlight a common weakness in performance-sensitive C code bound to Perl: the lack of robust integer overflow protection. The fact that three independent modules were simultaneously affected suggests a widespread need for more secure coding practices in the Perl ecosystem's XS (C extension) libraries.

Summary of Actions:

1. Update Immediately: Identify which of these JSON parsers your Perl applications use and update them to their patched versions.
2. Scan Dependencies: Use tools like cpan-audit (or services like Dependabot for GitHub) to automatically scan your codebases and applications for vulnerable dependencies.
3. Defense in Depth:
• Input Validation: Always impose reasonable size limits on incoming user data.
• Sandboxing: Run network-facing Perl processes (web workers, queue consumers) under supervision (e.g., with systemd or Kubernetes) so they can be automatically restarted after a crash.
• Monitoring: Monitor your applications for an increased rate of process crashes or segfaults, which can be an early indicator of an exploitation attempt.

For cyber attack prevention solutions, check out the CyberHatOnline website and products.