HMAC Signature Verification Flaw in Mojo::JWT for Perl
CVE-2026-9537

Currently unrated

Key Information:

Vendor

Jberger

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-9537?

The Mojo::JWT library for Perl has a vulnerability in its HMAC signature verification process. Specifically, versions prior to 1.02 utilize the Perl 'eq' operator for comparing the supplied signature with the computed HMAC. This implementation flaw allows an attacker to exploit timing variations when the two signatures differ, potentially revealing the valid signature over multiple requests. By carefully observing the response times, an attacker can reconstruct the expected signature and forge valid tokens. Addressing this issue is crucial for maintaining the integrity and security of applications relying on Mojo::JWT for token handling.

Affected Version(s)

Mojo::JWT 0 < 1.02

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.