CVE-2026-15747 in Mojoliciousinfo

Summary

by MITRE • 07/14/2026

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle.

_csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.

An attacker able to query it can recover the token and pass csrf_protect validation.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability exists in Mojolicious web framework versions between 4.59 and 9.48 where the session CSRF token implementation creates a compression oracle through predictable token reuse. The core flaw lies in how _csrf_token function generates and caches a single token value per session, returning identical values across multiple requests within the same session context. This stable representation becomes problematic when combined with the _csrf_field helper that places this fixed token into hidden HTML input fields within response payloads.

The vulnerability exploits the BREACH compression attack pattern where attackers can infer sensitive data by observing compressed response sizes when injecting controlled plaintext into responses. When a response containing the fixed CSRF token also includes attacker-controlled input that gets echoed back in the same compressed payload, the compression algorithm's behavior reveals information about the token value through differential compression lengths. This occurs because gzip compression achieves better compression ratios when identical or similar strings appear repeatedly within the data stream.

The operational impact of this vulnerability is significant as it allows attackers to bypass CSRF protection mechanisms entirely. By constructing multiple requests with varying attacker-controlled input and measuring response sizes, an attacker can iteratively recover the stable CSRF token value through statistical analysis of compression behavior. Once recovered, the token can be submitted in subsequent requests to successfully pass CSRF validation checks, effectively neutralizing the security protection intended to prevent cross-site request forgery attacks.

This vulnerability maps to CWE-1240 - Information Exposure Through a Compression Oracle and aligns with ATT&CK technique T1592.001 - Replication via Web Shell where attackers could leverage this weakness to bypass security controls. The flaw represents a fundamental design issue in how session tokens are cached and reused, creating predictable patterns that compression algorithms can exploit. Organizations using affected Mojolicious versions should immediately upgrade to version 9.48 or later where the token generation mechanism has been modified to provide unique values per request, eliminating the compression oracle. Additionally, implementing proper input sanitization and avoiding the combination of sensitive data with attacker-controlled content in compressed responses serves as a mitigating factor against exploitation attempts.

The underlying technical issue stems from the insecure reuse of cryptographic tokens within predictable contexts, creating opportunities for adaptive attacks that leverage compression side channels. This represents a classic example of how modern web application security must consider not just the primary attack surface but also indirect information leakage mechanisms such as compression behavior that can reveal sensitive data patterns through seemingly benign system operations.

Responsible

CPANSec

Reservation

07/14/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!