CVE-2026-9733: CWE-340 Generation of Predictable Numbers or Identifiers in HAYAJO Mojolicious::Plugin::Web::Auth::OAuth2
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).
AI Analysis
Technical Summary
The vulnerability in Mojolicious::Plugin::Web::Auth::OAuth2 (<=0.17) arises from the insecure default generation of the OAuth2 state parameter. When no custom state generator is provided, the module uses a SHA-1 hash of predictable values including the current epoch time (exposed via the HTTP Date header) and Perl's rand function, which lacks sufficient entropy. This predictable state value can be exploited by attackers to conduct CSRF attacks, potentially hijacking user sessions during OAuth2 authentication.
Potential Impact
An attacker can predict the OAuth2 state parameter used in authentication requests, enabling them to perform cross-site request forgery (CSRF) attacks. This may lead to unauthorized actions performed in the context of a victim's session, compromising user security and trust in the affected application.
Mitigation Recommendations
No official patch or fix has been confirmed as of the provided data. Users should avoid relying on the default state generator and instead specify a custom, cryptographically secure state generator when constructing the plugin. Monitor the vendor advisory for updates and apply any official fixes once available.
CVE-2026-9733: CWE-340 Generation of Predictable Numbers or Identifiers in HAYAJO Mojolicious::Plugin::Web::Auth::OAuth2
Description
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).
Affected software
pkg:github/Mojolicious-Plugin-Web-AuthRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Mojolicious::Plugin::Web::Auth::OAuth2 (<=0.17) arises from the insecure default generation of the OAuth2 state parameter. When no custom state generator is provided, the module uses a SHA-1 hash of predictable values including the current epoch time (exposed via the HTTP Date header) and Perl's rand function, which lacks sufficient entropy. This predictable state value can be exploited by attackers to conduct CSRF attacks, potentially hijacking user sessions during OAuth2 authentication.
Potential Impact
An attacker can predict the OAuth2 state parameter used in authentication requests, enabling them to perform cross-site request forgery (CSRF) attacks. This may lead to unauthorized actions performed in the context of a victim's session, compromising user security and trust in the affected application.
Mitigation Recommendations
No official patch or fix has been confirmed as of the provided data. Users should avoid relying on the default state generator and instead specify a custom, cryptographically secure state generator when constructing the plugin. Monitor the vendor advisory for updates and apply any official fixes once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-27T17:25:58.644Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3a3f2aeed863c81e8c6dcf
Added to database: 06/23/2026, 08:09:14 UTC
Last enriched: 06/23/2026, 08:24:09 UTC
Last updated: 06/23/2026, 10:39:46 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.