CVE-2026-56018
Severity CVSS v4.0:
Pending analysis
Type:
CWE-400
Uncontrolled Resource Consumption ('Resource Exhaustion')
Publication date:
29/06/2026
Last modified:
30/06/2026
Description
JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth.<br />
<br />
In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token&#39;s contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet.<br />
<br />
A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH



