Home

Description

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.

PUBLISHED Reserved 2026-07-14 | Published 2026-07-14 | Updated 2026-07-14 | Assigner CPANSec

Problem types

CWE-204 Observable Response Discrepancy

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Default status
unaffected

4.59 (custom) before 9.48
affected

Timeline

2026-07-14:Version 9.48 released with fix.

References

www.openwall.com/lists/oss-security/2026/07/14/16

github.com/...01921fbbbbeca2d1397e082d4a647f9b84c24e27.patch patch

metacpan.org/release/SRI/Mojolicious-9.48/changes release-notes

cve.org (CVE-2026-15747)

nvd.nist.gov (CVE-2026-15747)

Download JSON