Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
BREACH needs compression plus reflected input and a traffic-size oracle over many victim-driven requests (AC:H, UI:R); impact is CSRF bypass (I:H) with only token disclosure (C:L).
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle.
_csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden csrf_token input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.
An attacker able to query it can recover the token and pass csrf_protect validation.
AnalysisAI
CSRF token disclosure in the Perl Mojolicious web framework (versions 4.59 up to but not including 9.48) allows a network attacker to recover a victim's session CSRF token via a BREACH compression side channel and then bypass csrf_protect validation. Because _csrf_token cached and returned one stable per-session value that _csrf_field embedded in every response, an attacker who could inject reflected input into a gzip-compressed page could iteratively guess the token by observing compressed response lengths. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of: (1) the target Mojolicious app uses the built-in CSRF helpers so that the same static per-session token is emitted repeatedly (pre-9.48 behavior); (2) responses carrying the csrf_token field are gzip/deflate-compressed; (3) the same response reflects attacker-controlled input adjacent to the token; and (4) the attacker can observe compressed response lengths and induce many adaptive requests from the victim's authenticated session (an on-path/traffic-observation capability). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and warrant nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can observe a victim's TLS-encrypted traffic sizes (e.g., shared network or on-path) lures the victim's authenticated browser into repeatedly requesting a compressed page that both reflects an attacker-chosen string and includes the hidden csrf_token field. By adaptively varying the injected string and watching the compressed response shrink when a guess matches, the attacker recovers the full static token and submits a forged state-changing request that passes csrf_protect. … |
| Remediation | Vendor-released patch: 9.48 - upgrade Mojolicious to 9.48 or later, where CSRF tokens are masked with a fresh random value on every request (commit https://github.com/mojolicious/mojo/commit/01921fbbbbeca2d1397e082d4a647f9b84c24e27.patch). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all systems running Mojolicious and identify instances in versions 4.59 through 9.47. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mojolicious
View allMojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC sessio
CSRF session hijacking in Mojolicious::Plugin::Web::Auth::OAuth2 through version 0.17 for Perl stems from a predictable
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id
Same weakness CWE-204 – Observable Response Discrepancy
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44067
GHSA-6cg9-7rr8-cvj2