Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list]
Message-Id: <4A9CB9F7-5EDC-4EA2-8557-5D0F66CB1D03@stig.io>
Date: Tue, 14 Jul 2026 19:11:01 +0200
From: Stig Palmquist <stig@...g.io>
To: cve-announce@...urity.metacpan.org,
 oss-security@...ts.openwall.com
Subject: CVE-2026-15747: Mojolicious versions from 4.59 before 9.48 for Perl
 expose a stable representation of the session CSRF token to a BREACH
 compression oracle

========================================================================
CVE-2026-15747                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-15747
  Distribution:  Mojolicious
      Versions:  from 4.59 before 9.48

      MetaCPAN:  https://metacpan.org/dist/Mojolicious
      VCS Repo:  https://github.com/mojolicious/mojo


Mojolicious versions from 4.59 before 9.48 for Perl expose a stable
representation of the session CSRF token to a BREACH compression oracle

Description
-----------
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable
representation of the session CSRF token to a BREACH compression
oracle.

_csrf_token generates and caches one token per session and returns the
same value on every call, and _csrf_field places that value in a hidden
`csrf_token` input. When a response carrying the token also echoes
attacker-controlled input and is gzip-compressed, the chosen values and
the resulting compressed lengths form a BREACH oracle.

An attacker able to query it can recover the token and pass
csrf_protect validation.

Problem types
-------------
- CWE-204 Observable Response Discrepancy
- CWE-352 Cross-Site Request Forgery (CSRF)

Solutions
---------
Upgrade to Mojolicious 9.48 or later.


References
----------
https://github.com/mojolicious/mojo/commit/01921fbbbbeca2d1397e082d4a647f9b84c24e27.patch
https://metacpan.org/release/SRI/Mojolicious-9.48/changes

Timeline
--------
- 2026-07-14: Version 9.48 released with fix.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.