CVE-2026-56018

Name of the Vulnerable Software and Affected Versions JavaScript::Minifier::XS versions prior to 0.16

Description An issue exists where memory is leaked during every call to the minify() function. In the XS.xs component, the cleanup process only frees NodeSet structures and fails to free per-token contents buffers allocated in JsSetNodeContents. Additionally, JsDiscardNode unlinks nodes without freeing their contents. This results in unbounded memory growth for long-lived processes that perform repeated minification, such as server-side minifier endpoints or asset pipelines, potentially leading to a denial of service when available memory is exhausted.

Recommendations Update JavaScript::Minifier::XS to version 0.16 or later.