CVE-2026-15747

NameCVE-2026-15747
DescriptionMojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libmojolicious-perl (PTS)bullseye8.71+dfsg-1vulnerable
bookworm9.31+dfsg-1vulnerable
trixie9.39+dfsg-1vulnerable
forky, sid9.47+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libmojolicious-perlsource(unstable)(unfixed)

Notes

https://lists.security.metacpan.org/cve-announce/msg/41816171/
Fixed by: https://github.com/mojolicious/mojo/commit/01921fbbbbeca2d1397e082d4a647f9b84c24e27 (v9.48)

Search for package or bug name: Reporting problems