CVE-2024-58134 | THREATINT

Description

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

PUBLISHED Reserved 2025-04-07 | Published 2025-05-03 | Updated 2025-10-20 | Assigner CPANSec

Problem types

CWE-321 Use of Hard-coded Cryptographic Key

CWE-331 Insufficient Entropy

Product status

Default status

unaffected

0.999922 (custom)

affected

Credits

Antoine Cervoise from Synacktiv analyst

Jakub Kramarz analyst

Lukas Atkinson analyst

References

github.com/mojolicious/mojo/pull/1791 issue-tracking

github.com/mojolicious/mojo/pull/2200 issue-tracking

www.synacktiv.com/publications/baking-mojolicious-cookies technical-description

medium.com/...rity-problems-through-security-by-13da7c225802 technical-description

metacpan.org/...I/Mojolicious-9.39/source/lib/Mojolicious.pm related

github.com/hashcat/hashcat/pull/4090 exploit

lists.debian.org/debian-perl/2025/05/msg00016.html mailing-list

lists.debian.org/debian-perl/2025/05/msg00017.html mailing-list

lists.debian.org/debian-perl/2025/05/msg00018.html mailing-list

github.com/mojolicious/mojo/pull/2252 issue-tracking

docs.mojolicious.org/Mojolicious/Guides/FAQ technical-description

cve.org (CVE-2024-58134)

nvd.nist.gov (CVE-2024-58134)

Download JSON

help @ threatint.eu