Description
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks.

These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Catalyst::Plugin::Authentication versions up to 0.10024 where Perl’s built‑in eq operator is used for password comparison. Timing discrepancies in this comparison can allow an attacker to infer bits of the underlying hash or password, potentially enabling credential replay or theft. This side‑channel exposure does not lead to arbitrary code execution but instead permits the gradual deduction of valid passwords through measured response times.

Affected Systems

The affected product is Catalyst::Plugin::Authentication by JJNAPIORK. All releases through version 0.10024 are impacted, with the fix published in version 0.10026 and later.

Risk and Exploitability

The CVSS score of 5.1 places the vulnerability in the medium severity range, and the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The CVE is not listed in the CISA KEV catalog, suggesting no publicly known large‑scale exploitation. Nonetheless, the attack vector identified is a timing side‑channel on authentication endpoints; exploitation would require repeated credential verification attempts that expose measurable time differences, which in practice can be difficult but is feasible for determined adversaries.

Generated by OpenCVE AI on May 22, 2026 at 17:23 UTC.

Remediation

Vendor Solution

Upgrade to version 0.10026 or later.

OpenCVE Recommended Actions

  • Update Catalyst::Plugin::Authentication to version 0.10026 or later
  • Replace any custom authentication code that uses Perl's eq with a constant‑time string comparison function
  • Conduct security testing of authentication endpoints for residual timing side‑channels and adjust configuration if anomalies are detected

Generated by OpenCVE AI on May 22, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Jjnapiork
Jjnapiork catalyst::plugin::authentication
Vendors & Products Jjnapiork
Jjnapiork catalyst::plugin::authentication

Fri, 22 May 2026 02:30:00 +0000

Type Values Removed Values Added
References

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password.
Title Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks
Weaknesses CWE-208
References

Subscriptions

Jjnapiork Catalyst::plugin::authentication
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-22T14:13:48.996Z

Reserved: 2026-03-28T19:36:44.345Z

Link: CVE-2026-5091

cve-icon Vulnrichment

Updated: 2026-05-22T14:13:42.579Z

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:48.530

Modified: 2026-05-22T02:16:34.970

Link: CVE-2026-5091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T17:30:06Z

Weaknesses