A critical flaw in the HAYAJO Mojolicious::Plugin::Web::Auth::OAuth2 module allows unauthenticated attackers to perform session hijacking via predictable OAuth2 state parameters.

This vulnerability stems from the use of a predictable SHA-1 hash for the OAuth2 state parameter, which relies on low-entropy sources like epoch time and Perl's rand function. This allows an unauthenticated attacker to bypass CSRF protections and hijack user sessions.

The ability to hijack user sessions poses a significant risk to data integrity and confidentiality. Successful exploitation could allow unauthorized actors to impersonate legitimate users, leading to unauthorized data access or administrative control over affected applications. Given the CVSS score of 9.1, this vulnerability represents a critical threat to the security posture of any service utilizing this plugin.

Immediate Action: Update the Mojolicious::Plugin::Web::Auth::OAuth2 module to the latest patched version provided by the vendor.

Proactive Monitoring: Review web server access logs for anomalous patterns in OAuth2 callback requests or suspicious authentication flow initiation.

Compensating Controls: Implement strict Content Security Policy (CSP) headers and ensure that alternative CSRF mitigation strategies are in place while the update is being deployed.

Public Exploit Available: false

Organizations utilizing the HAYAJO Mojolicious::Plugin::Web::Auth::OAuth2 module must prioritize this update immediately. Because the vulnerability facilitates full session hijacking, the risk to application security is severe, and failure to patch leaves users highly susceptible to unauthorized account takeover.