Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle.
_csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.
An attacker able to query it can recover the token and pass csrf_protect validation.
_csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.
An attacker able to query it can recover the token and pass csrf_protect validation.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
Upgrade to Mojolicious 9.48 or later.
Workaround
No workaround given by the vendor.
References
History
Tue, 14 Jul 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation. | |
| Title | Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle | |
| Weaknesses | CWE-204 CWE-352 |
|
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-07-14T19:30:12.894Z
Reserved: 2026-07-14T15:03:43.632Z
Link: CVE-2026-15747
No data.
No data.
No data.
OpenCVE Enrichment
No data.