Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by JBERGER

    CVE-2026-9537 (GCVE-0-2026-9537)

    Vulnerability from nvd – Published: 2026-07-17 15:29 – Updated: 2026-07-17 17:25
    VLAI
    Title
    Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison
    Summary
    Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode() method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of matching leading bytes. A caller that decodes attacker supplied tokens leaks the expected signature through this timing variation, which can be aggregated over many requests to recover the signature and forge a token.
    Severity
    No CVSS data available.
    CWE
    • CWE-208 - Observable Timing Discrepancy
    Assigner
    Impacted products
    Vendor Product Version
    JBERGER Mojo::JWT Affected: 0 , < 1.02 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-17T17:25:14.154Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/17/11"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "Mojo-JWT",
              "product": "Mojo::JWT",
              "programFiles": [
                "lib/Mojo/JWT.pm"
              ],
              "programRoutines": [
                {
                  "name": "Mojo::JWT::decode"
                }
              ],
              "repo": "http://github.com/jberger/Mojo-JWT",
              "vendor": "JBERGER",
              "versions": [
                {
                  "lessThan": "1.02",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison.\n\nThe decode() method compares the supplied signature to the recomputed HMAC with Perl\u0027s eq operator, which stops at the first differing byte, so the comparison time varies with the number of matching leading bytes.\n\nA caller that decodes attacker supplied tokens leaks the expected signature through this timing variation, which can be aggregated over many requests to recover the signature and forge a token."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-208",
                  "description": "CWE-208 Observable Timing Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T15:29:58.088Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/jberger/Mojo-JWT/commit/b8aefb846613e44b5b12bc170898ffd5b05094a2.patch"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to Mojo-JWT 1.02, which compares signatures with the constant-time Mojo::Util::secure_compare."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison",
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2026-9537",
        "datePublished": "2026-07-17T15:29:58.088Z",
        "dateReserved": "2026-05-25T20:46:44.842Z",
        "dateUpdated": "2026-07-17T17:25:14.154Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9537 (GCVE-0-2026-9537)

    Vulnerability from cvelistv5 – Published: 2026-07-17 15:29 – Updated: 2026-07-17 17:25
    VLAI
    Title
    Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison
    Summary
    Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode() method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of matching leading bytes. A caller that decodes attacker supplied tokens leaks the expected signature through this timing variation, which can be aggregated over many requests to recover the signature and forge a token.
    Severity
    No CVSS data available.
    CWE
    • CWE-208 - Observable Timing Discrepancy
    Assigner
    Impacted products
    Vendor Product Version
    JBERGER Mojo::JWT Affected: 0 , < 1.02 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-17T17:25:14.154Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/17/11"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "Mojo-JWT",
              "product": "Mojo::JWT",
              "programFiles": [
                "lib/Mojo/JWT.pm"
              ],
              "programRoutines": [
                {
                  "name": "Mojo::JWT::decode"
                }
              ],
              "repo": "http://github.com/jberger/Mojo-JWT",
              "vendor": "JBERGER",
              "versions": [
                {
                  "lessThan": "1.02",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison.\n\nThe decode() method compares the supplied signature to the recomputed HMAC with Perl\u0027s eq operator, which stops at the first differing byte, so the comparison time varies with the number of matching leading bytes.\n\nA caller that decodes attacker supplied tokens leaks the expected signature through this timing variation, which can be aggregated over many requests to recover the signature and forge a token."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-208",
                  "description": "CWE-208 Observable Timing Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T15:29:58.088Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/jberger/Mojo-JWT/commit/b8aefb846613e44b5b12bc170898ffd5b05094a2.patch"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to Mojo-JWT 1.02, which compares signatures with the constant-time Mojo::Util::secure_compare."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison",
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2026-9537",
        "datePublished": "2026-07-17T15:29:58.088Z",
        "dateReserved": "2026-05-25T20:46:44.842Z",
        "dateUpdated": "2026-07-17T17:25:14.154Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }