Home

Description

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.

PUBLISHED Reserved 2026-02-26 | Published 2026-02-27 | Updated 2026-03-03 | Assigner CPANSec

Problem types

CWE-20 Improper Input Validation

Product status

Default status
unaffected

Any version
affected

Timeline

2018-01-26:version 1.10 HTTP::Session2 released with fix.
2026-02-24:version 1.11 HTTP::Session2 deprecated.

References

www.openwall.com/lists/oss-security/2026/02/27/13

github.com/...813838f6d08034b6a265a70e53b59b941b5d3e6d.patch patch

metacpan.org/.../TOKUHIROM/HTTP-Session2-1.10/source/Changes release-notes

metacpan.org/pod/Cache::Memcached::Fast::Safe related

cve.org (CVE-2018-25160)

nvd.nist.gov (CVE-2018-25160)

Download JSON