CPANSA-Mojolicious-2024-58134: Mojolicious vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2025-05-03T00:00:00 | Engine | CSAF Perl Toolkit 0.26 |
| Current release date | 2025-05-03T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 8.1 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.
Vulnerabilities
CVE-2024-58134
Vulnerability DescriptionMojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default.
These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
| Weakness | CWE-321 : Use of Hard-coded Cryptographic Key |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Mojolicious greater than or equal 0.999922 |
|
Fixed
- Mojolicious greater than or equal 9.40
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Mojolicious-2024-58134 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2025/cpansa-mojolicious-2024-58134.json - https://github.com/hashcat/hashcat/pull/4090 external
https://github.com/hashcat/hashcat/pull/4090 - https://github.com/mojolicious/mojo/pull/1791 external
https://github.com/mojolicious/mojo/pull/1791 - https://github.com/mojolicious/mojo/pull/2200 external
https://github.com/mojolicious/mojo/pull/2200 - https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802 external
https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802 - https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51 external
https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51 - https://www.synacktiv.com/publications/baking-mojolicious-cookies external
https://www.synacktiv.com/publications/baking-mojolicious-cookies - https://www.cve.org/CVERecord?id=CVE-2024-58134 external
https://www.cve.org/CVERecord?id=CVE-2024-58134 - CVE-2024-58134 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2024-58134
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Sat May 3 00:00:00 2025 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/