External risk intelligence

Mojolicious CSRF Token Exposure via Compression Oracle

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-15747

Mojolicious is a framework used to build web applications, APIs, and microservices. Because these applications are commonly deployed as internet-facing services to handle web traffic, the vulnerable session token handling mechanism is frequently exposed to public network requests.

Cross-site Request Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in the Mojolicious web framework for Perl could allow attackers to bypass security checks by exploiting a weakness in how session tokens are handled. This issue, related to compression and token representation, could potentially enable unauthorized access to protected functionalities. The primary concern is to confirm if our environment utilizes this technology and is exposed.

  • Session tokens can be stolen by attackers.
  • Protects against bypassing security validations.
  • Confirm exposure to Mojolicious web applications.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by observing responses from a web application built with Mojolicious. If these responses include attacker-controlled input alongside the session's CSRF token and are compressed using gzip, the attacker can use the resulting compressed data size to reconstruct the token. Once the token is recovered, the attacker can bypass CSRF protections and potentially perform actions as a legitimate user.

  • Unauthenticated network access required.
  • Compressed response leaks session token.
  • Bypasses CSRF protection.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to recover a session CSRF token when supported conditions like gzip compression and echoing attacker-controlled input are met. Once recovered, the token can be used to bypass CSRF protection, potentially enabling an attacker to perform actions on behalf of a user.

  • Session CSRF tokens could be exposed.
  • BREACH oracle may reveal tokens.
  • CSRF protection bypass may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in the Mojolicious framework impacts web applications, APIs, and microservices, making them susceptible to token recovery and bypass of CSRF protections. The primary responsibility for addressing this lies with the teams managing these web services, including application owners and platform or infrastructure teams. The immediate first step should be to inventory all Mojolicious deployments, identify those exposed to the network, confirm their business criticality, and then assign ownership for remediation planning, which may involve vendor coordination or temporary risk reduction measures.

  • Application and platform teams should own remediation.
  • Verify network exposure and business criticality.
  • Plan remediation with accountable owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Mojolicious framework?

Mojolicious is a real-time web framework for the Perl programming language. Developers use it to build dynamic websites, scalable APIs, and microservices. Because it provides tools for handling sessions and security tokens, it is a foundational component for many web-based applications that manage user authentication and state.

What does CVE-2026-15747 mean for session security?

This vulnerability involves a weakness class known as a side-channel attack, specifically categorized as CWE-204 (Observable Response Discrepancy) and CWE-352 (Cross-Site Request Forgery). It allows an attacker to recover a hidden session token by observing how the application's response size changes when data is compressed using gzip. This effectively turns the application into an 'oracle' that leaks sensitive security information.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending crafted requests to a vulnerable application that causes it to echo attacker-controlled input in a gzip-compressed response containing the CSRF token. The attack does not occur if the response is not compressed or if the application does not include the user-provided input in the same response as the session token.

Do I need to worry if my service is not on the internet?

Halo Surface Signal indicates that Mojolicious applications are frequently deployed as internet-facing services, which heightens the risk. If your service is internal and strictly firewalled, the potential for unauthorized network access is lower, but you should still assess the risk based on your internal threat model and user access controls.

When should I take action for this CVE?

You should begin by inventorying all systems running Mojolicious to identify which versions are affected. Since this vulnerability allows attackers to bypass CSRF protections and potentially impersonate users, prioritize your public-facing applications. Coordinate with your application and infrastructure teams to plan an update to the framework.

References