Security Advisories (10)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojolicious::Guides - Mojolicious guide to the galaxy

DON'T PANIC!

We are constantly working on new documentation, follow us on Twitter, GitHub or join the official IRC channel #mojo on irc.perl.org to get all the latest updates.

LEARNING PERL

If you are new to Perl, we recommend Learn Perl in 2 hours 30 minutes for a quick introduction, or the Modern Perl book, freely available in many formats. Both are excellent introductions to the language. For more books and documentation, check out learn.perl.org.

TUTORIAL

Mojolicious::Lite: A fast and fun way to get started developing web applications with Mojolicious is the Mojolicious::Lite tutorial. This micro web framework is only a thin wrapper around the normal web framework, so almost everything you learn here also applies to full Mojolicious applications. The simplified notation introduced in the tutorial is commonly used throughout the guides and is therefore considered a prerequisite, you should definitely take a look!

GUIDES

Mojolicious::Guides::Growing: Starting a Mojolicious::Lite prototype from scratch and growing it into a well structured Mojolicious application.
Mojolicious::Guides::Routing: Simple and fun introduction to the Mojolicious router.
Mojolicious::Guides::Rendering: Generating content with the Mojolicious renderer.
Mojolicious::Guides::Cookbook: Cooking with Mojolicious, recipes for every taste.
Mojolicious::Guides::Contributing: Become a part of the ongoing Mojolicious development.
Mojolicious::Guides::FAQ: Answers to the most frequently asked questions.

HIGHLIGHTS

Mojolicious and Mojolicious::Lite are the sum of many parts, small building blocks that can be used independently, these are the most prominent ones.

Mojo::UserAgent: Full featured non-blocking I/O HTTP and WebSocket user agent.
Mojo::DOM: Very fun and minimalistic HTML/XML DOM parser with CSS selector support.
Mojo::JSON: Minimalistic JSON implementation that just works.
Mojo::Server::Daemon: Full featured, highly portable non-blocking I/O HTTP and WebSocket server, with self-restart support through Mojo::Server::Morbo, perfect for development and testing.
Mojo::Server::Prefork: Full featured, UNIX optimized, preforking non-blocking I/O HTTP and WebSocket server with support for zero downtime software upgrades (hot deployment) through Mojo::Server::Hypnotoad.
Mojo::Server::CGI, Mojo::Server::PSGI: Transparent CGI and PSGI support out of the box.
Mojo::IOLoop: A minimalistic event loop with support for multiple reactor backends.
Mojo::Template: Very Perl-ish and minimalistic template system.
Test::Mojo: Testing toolkit for web applications.
ojo: Fun one-liners using everything above.

SPIN-OFFS

These modules are not part of the Mojolicious distribution, but have been designed to be used with it and are being developed under the same umbrella.

Mango: Pure-Perl non-blocking I/O MongoDB driver.
Minion: Job queue.

REFERENCE

This is the class hierarchy of the Mojolicious distribution.

A lot more documentation and examples by many different authors can be found in the Mojolicious wiki.

SUPPORT

If you have any questions the documentation might not yet answer, don't hesitate to ask on the mailing-list or the official IRC channel #mojo on irc.perl.org.

To install Mojolicious, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Mojolicious

CPAN shell

perl -MCPAN -e shell
install Mojolicious

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)