Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 contain a critical cryptographic weakness in their default state parameter generation. When developers fail to specify a custom state generator, the module falls back to SHA-1 hashing of low-entropy, predictable sources: the epoch timestamp (which attackers can extract from HTTP Date headers) and Perl's rand() function. This breaks the fundamental security contract of OAuth2's state parameter, which exists to prevent cross-site request forgery (CSRF) attacks during the authorization flow. An attacker can now forge valid state parameters, allowing them to intercept legitimate users' OAuth2 callbacks and hijack their authenticated sessions. Any web application using this Perl module with default configuration—particularly those handling sensitive operations like financial transactions or identity management—faces immediate risk of account takeover.
While no specific MITRE ATT&CK techniques are mapped to this CVE, Casky's extended reasoning capabilities would detect the underlying attack patterns associated with CWE-338 (use of cryptographically weak pseudo-random number generator) and CWE-340 (generation of predictable numbers/identifiers). Practitioners using Casky would observe findings flagged for insecure random number generation in authentication flows, weak entropy sources in security-critical parameters, and patterns consistent with CSRF exploitation chains. The platform's skill mapping would highlight the gap between expected OAuth2 security controls and the actual implementation, allowing security teams to identify vulnerable code patterns in dependency audits and code reviews before attackers can abuse them.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-9733. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation