HMAC Signature Verification Flaw in Mojo::JWT for Perl
CVE-2026-9537
Currently unrated
What is CVE-2026-9537?
The Mojo::JWT library for Perl has a vulnerability in its HMAC signature verification process. Specifically, versions prior to 1.02 utilize the Perl 'eq' operator for comparing the supplied signature with the computed HMAC. This implementation flaw allows an attacker to exploit timing variations when the two signatures differ, potentially revealing the valid signature over multiple requests. By carefully observing the response times, an attacker can reconstruct the expected signature and forge valid tokens. Addressing this issue is crucial for maintaining the integrity and security of applications relying on Mojo::JWT for token handling.
Affected Version(s)
Mojo::JWT 0 < 1.02
