Skip to main content

Mojo CVE-2026-9537

| EUVDEUVD-2026-45193
Observable Timing Discrepancy (CWE-208)
2026-07-17 CPANSec GHSA-3rp9-gq85-w2mf

Lifecycle Timeline

1
CVE Published
Jul 17, 2026 - 15:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison.

The decode() method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of matching leading bytes.

A caller that decodes attacker supplied tokens leaks the expected signature through this timing variation, which can be aggregated over many requests to recover the signature and forge a token.

Analysis

Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode() method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of matching leading bytes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9537 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy