CPANSA-Mojolicious-2024-58135: Mojolicious vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2025-05-03T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
| Current release date | 2025-05-03T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 5.3 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
Vulnerabilities
CVE-2024-58135
Vulnerability DescriptionMojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets.
When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
| Weakness | CWE-338 : Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Mojolicious greater than or equal 7.28 |
|
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Mojolicious-2024-58135 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2025/cpansa-mojolicious-2024-58135.json - https://github.com/hashcat/hashcat/pull/4090 external
https://github.com/hashcat/hashcat/pull/4090 - https://github.com/mojolicious/mojo/pull/2200 external
https://github.com/mojolicious/mojo/pull/2200 - https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220 external
https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220 - https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202 external
https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202 - https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181 external
https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181 - https://perldoc.perl.org/functions/rand external
https://perldoc.perl.org/functions/rand - https://security.metacpan.org/docs/guides/random-data-for-security.html external
https://security.metacpan.org/docs/guides/random-data-for-security.html - CVE-2024-58135 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2024-58135
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Sat May 3 00:00:00 2025 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/