CVE-2025-40928: 
Linux Debian vulnerability analysis and mitigation

JSON::XS before version 4.04 for Perl contains a critical security vulnerability identified as CVE-2025-40928. The vulnerability was discovered and disclosed on September 8, 2025, affecting the JSON parsing functionality. The issue involves an integer buffer overflow that occurs when parsing crafted JSON input, which can lead to application crashes and potential security implications (NVD, OSS Security).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) that occurs during JSON parsing operations. The issue stems from improper handling of integer values in the parsing logic, specifically in the number parsing functionality. The vulnerability received a CVSS v3.1 base score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD).

When exploited, this vulnerability can cause the application to crash through a segmentation fault, leading to denial-of-service conditions. Additionally, there may be other unspecified impacts that could potentially compromise the security of systems using the affected versions of JSON::XS (NVD).

Users are advised to upgrade to JSON::XS version 4.04 or later, which contains the fix for this vulnerability. A patch has been made available to address the integer buffer overflow issue (CPANSec).