CVE-2026-9537
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
17/07/2026
Última modificación:
17/07/2026
Descripción
*** Pendiente de traducción *** Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison.<br />
<br />
The decode() method compares the supplied signature to the recomputed HMAC with Perl&#39;s eq operator, which stops at the first differing byte, so the comparison time varies with the number of matching leading bytes.<br />
<br />
A caller that decodes attacker supplied tokens leaks the expected signature through this timing variation, which can be aggregated over many requests to recover the signature and forge a token.



