The vulnerability arises from an insecure default state parameter in Mojolicious::Plugin::Web::Auth::OAuth2. When no custom state generator is supplied, the plugin creates a SHA‑1 hash of low‑entropy, predictable inputs such as the epoch time and Perl’s built‑in rand function. These state values can be guessed by an attacker, allowing a carefully crafted request to trick a user into authorizing an OAuth flow that the attacker controls. The predictable state enables classic cross‑site request forgery attacks that lead to session hijacking and unauthorized access to the victim’s authenticated session.

Perl applications that use HAYAJO's Mojolicious::Plugin::Web::Auth::OAuth2 version 0.17 or earlier are affected. The issue exists in all releases of the plugin up to but not including version 0.18. It impacts any project that relies on the plugin’s OAuth2 module for authentication without providing a custom state generator function.

The exploit requires an attacker to make a request to the OAuth2 endpoint, supply a forged state that matches the client’s predictable value, and then redeem the response. No user interaction beyond the normal OAuth flow is needed, making the attack relatively straightforward in a browser context. Although EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog, the potential for session hijacking and impersonation grants this flaw a high practical risk. The CWE identifiers for Cryptographic Primitive Weakness (CWE‑338) and Random Number Generation Weakness (CWE‑340) reinforce the severity of the issue.