Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default.
These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
Metrics
Affected Vendors & Products
References
History
Mon, 12 May 2025 18:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. | Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. |
Title | Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default | Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default |
Mon, 12 May 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
Sat, 03 May 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. | |
Title | Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default | |
Weaknesses | CWE-321 CWE-331 |
|
References |
|
|

Status: PUBLISHED
Assigner: CPANSec
Published: 2025-05-03T16:08:55.042Z
Updated: 2025-05-12T18:10:58.672Z
Reserved: 2025-04-07T16:06:37.226Z
Link: CVE-2024-58134

Updated: 2025-05-12T16:00:24.352Z

Status : Awaiting Analysis
Published: 2025-05-03T16:15:19.310
Modified: 2025-05-12T19:15:48.523
Link: CVE-2024-58134

No data.