oss-sec mailing list archives

CVE-2026-13410: Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled


From: Robert Rothenberg <rrwo () cpansec org>
Date: Fri, 17 Jul 2026 13:51:07 +0100


========================================================================
CVE-2026-13410                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-13410
  Distribution:  Dancer-Plugin-Auth-Google
      Versions:  through 0.07

      MetaCPAN: https://metacpan.org/dist/Dancer-Plugin-Auth-Google
      VCS Repo:  https://github.com/garu/Dancer-Plugin-Auth-Google


Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS
verification disabled

Description
-----------
Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS
verification disabled.

The default user agent is initialised with SSL_verify_mode explicitly
disabled.

An attacker with network man-in-the-middle (MITM) capability between
the Dancer application and googleapis.com can intercept the OAuth2
token exchange and userinfo fetch, return a forged access_token and
user profile, and be logged in to the Dancer application as any Google
user.

Problem types
-------------
- CWE-295 Improper Certificate Validation

Workarounds
-----------
There is no caller-side override.

Apply the patch.


References
----------
https://github.com/garu/Dancer-Plugin-Auth-Google/pull/5
https://security.metacpan.org/patches/D/Dancer-Plugin-Auth-Google/0.07/CVE-2026-13410-r1.patch
https://metacpan.org/pod/Furl#HTTPS-requests-claims-warnings!




Current thread: