CVE-2026-5091

Vulnerability

Catalyst::Plugin::Authentication versions through 0.10024 for Perl are susceptible to timing attacks due to the use of Perl's built-in eq operator for password comparison. The check_password method in Catalyst/Authentication/Credential/Password.pm compares the provided password against the stored password using eq, which is not constant-time and allows an attacker to infer the correct password by measuring response time differences. The vulnerability affects all versions up to and including 0.10024 [1][2].

Exploitation

An attacker with network access to the Catalyst application can exploit this vulnerability by sending a large number of authentication requests with varying passwords and measuring the server's response time. By observing timing discrepancies, the attacker can iteratively guess each character of the stored password or hash, eventually reconstructing the full credential. No authentication or special privileges are required; the attacker only needs the ability to send requests and measure response times accurately [1][2].

Impact

Successful exploitation allows an attacker to recover the stored password or password hash, leading to authentication bypass. The attacker can then impersonate any user whose credentials are compromised, gaining unauthorized access to the application and its data. The impact is high for confidentiality and integrity, as the attacker can access protected resources and potentially modify data [1][2].

Mitigation

The vulnerability is fixed in version 0.10_025, released on 2026-05-19 [1]. The fix replaces the eq comparison with a secure string comparison function (_secure_compare) that operates in constant time, preventing timing side-channel attacks [2]. Users should upgrade to version 0.10_025 or later. No workaround is available for earlier versions; upgrading is the only mitigation [1][2].