๐Ÿ” CVE Alert

CVE-2026-9537

UNKNOWN 0.0

Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode() method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of matching leading bytes. A caller that decodes attacker supplied tokens leaks the expected signature through this timing variation, which can be aggregated over many requests to recover the signature and forge a token.

CWE CWE-208
Vendor jberger
Product mojo::jwt
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for jberger mojo::jwt

Be the first to know when new unknown vulnerabilities affecting jberger mojo::jwt are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

JBERGER / Mojo::JWT
0 < 1.02

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/jberger/Mojo-JWT/commit/b8aefb846613e44b5b12bc170898ffd5b05094a2.patch