Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle.

_csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.

An attacker able to query it can recover the token and pass csrf_protect validation.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

Upgrade to Mojolicious 9.48 or later.


Workaround

No workaround given by the vendor.

History

Tue, 14 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Description Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.
Title Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle
Weaknesses CWE-204
CWE-352
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-14T19:30:12.894Z

Reserved: 2026-07-14T15:03:43.632Z

Link: CVE-2026-15747

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses