Description
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Problem types
CWE-565 Reliance on Cookies without Validation and Integrity Checking
Product status
Any version
Timeline
| 2014-08-11: | Vulnerability disclosed by MIYAGAWA. |
| 2014-08-11: | Version 0.22 released that warns when the "secret" option is not set. |
| 2014-08-11: | Version 0.23-TRIAL released that requires the "secret" option to be set. |
| 2014-09-05: | Version 0.24 released. Same as 0.23 but not a trial release. |
| 2016-02-03: | Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the "secret" option. |
| 2019-01-26: | CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB |
| 2019-03-09: | CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB |
| 2025-07-08: | CVE-2014-125112 assigned by CPANSec. |
Credits
mala (@bulkneets)
References
www.openwall.com/lists/oss-security/2026/03/26/2
gist.github.com/miyagawa/2b8764af908a0dacd43d
metacpan.org/.../Plack-Middleware-Session-0.23-TRIAL/changes
nvd.nist.gov (CVE-2014-125112)