oss-sec mailing list archives
CVE-2026-13410: Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled
From: Robert Rothenberg <rrwo () cpansec org>
Date: Fri, 17 Jul 2026 13:51:07 +0100
======================================================================== CVE-2026-13410 CPAN Security Group ======================================================================== CVE ID: CVE-2026-13410 Distribution: Dancer-Plugin-Auth-Google Versions: through 0.07 MetaCPAN: https://metacpan.org/dist/Dancer-Plugin-Auth-Google VCS Repo: https://github.com/garu/Dancer-Plugin-Auth-Google Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled Description ----------- Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled. The default user agent is initialised with SSL_verify_mode explicitly disabled. An attacker with network man-in-the-middle (MITM) capability between the Dancer application and googleapis.com can intercept the OAuth2 token exchange and userinfo fetch, return a forged access_token and user profile, and be logged in to the Dancer application as any Google user. Problem types ------------- - CWE-295 Improper Certificate Validation Workarounds ----------- There is no caller-side override. Apply the patch. References ---------- https://github.com/garu/Dancer-Plugin-Auth-Google/pull/5 https://security.metacpan.org/patches/D/Dancer-Plugin-Auth-Google/0.07/CVE-2026-13410-r1.patch https://metacpan.org/pod/Furl#HTTPS-requests-claims-warnings!
Current thread:
- CVE-2026-13410: Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled Robert Rothenberg (Jul 17)
