Security Advisories (2)
CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

CVE-2026-14803 (2026-07-06)

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.

NAME

Mojo::Server::Morbo - Tonight at 11...DOOOOOOOOOOOOOOOM!

SYNOPSIS

use Mojo::Server::Morbo;

my $morbo = Mojo::Server::Morbo->new;
$morbo->run('/home/sri/myapp.pl');

DESCRIPTION

Mojo::Server::Morbo is a full featured, self-restart capable non-blocking I/O HTTP and WebSocket server, built around the very well tested and reliable Mojo::Server::Daemon, with IPv6, TLS, SNI, UNIX domain socket, Comet (long polling), keep-alive and multiple event loop support. Note that the server uses signals for process management, so you should avoid modifying signal handlers in your applications.

To start applications with it you can use the morbo script.

$ morbo ./myapp.pl
Web application available at http://127.0.0.1:3000

For better scalability (epoll, kqueue) and to provide non-blocking name resolution, SOCKS5 as well as TLS support, the optional modules EV (4.32+), Net::DNS::Native (0.15+), IO::Socket::Socks (0.64+) and IO::Socket::SSL (2.009+) will be used automatically if possible. Individual features can also be disabled with the MOJO_NO_NNR, MOJO_NO_SOCKS and MOJO_NO_TLS environment variables.

See "DEPLOYMENT" in Mojolicious::Guides::Cookbook for more.

SIGNALS

The Mojo::Server::Morbo process can be controlled at runtime with the following signals.

INT, TERM

Shut down server immediately.

ATTRIBUTES

Mojo::Server::Morbo implements the following attributes.

backend

my $backend = $morbo->backend;
$morbo      = $morbo->backend(Mojo::Server::Morbo::Backend::Poll->new);

Backend, usually a Mojo::Server::Morbo::Backend::Poll object.

daemon

my $daemon = $morbo->daemon;
$morbo     = $morbo->daemon(Mojo::Server::Daemon->new);

Mojo::Server::Daemon object this server manages.

silent

my $bool = $morbo->silent;
$morbo   = $morbo->silent($bool);

Disable console messages, defaults to a true value.

METHODS

Mojo::Server::Morbo inherits all methods from Mojo::Base and implements the following new ones.

run

$morbo->run('script/my_app');

Run server for application and wait for "SIGNALS".

SEE ALSO

Mojolicious, Mojolicious::Guides, https://mojolicious.org.