CVE-2024-58134

Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

CVSS

No CVSS.

References

Link	Resource
https://github.com/hashcat/hashcat/pull/4090	Issue Tracking Patch
https://github.com/mojolicious/mojo/pull/1791	Issue Tracking Patch
https://github.com/mojolicious/mojo/pull/2200	Issue Tracking Patch
https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802	Third Party Advisory
https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51	Product
https://www.synacktiv.com/publications/baking-mojolicious-cookies	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:*

History

17 Jun 2025, 14:15

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mojolicious:mojolicious::::::perl::*
First Time		Mojolicious Mojolicious mojolicious
References	~~() https://www.synacktiv.com/publications/baking-mojolicious-cookies -~~	() https://www.synacktiv.com/publications/baking-mojolicious-cookies - Exploit
References	~~() https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802 -~~	() https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802 - Third Party Advisory
References	~~() https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51 -~~	() https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51 - Product
References	~~() https://github.com/mojolicious/mojo/pull/1791 -~~	() https://github.com/mojolicious/mojo/pull/1791 - Issue Tracking, Patch
References	~~() https://github.com/hashcat/hashcat/pull/4090 -~~	() https://github.com/hashcat/hashcat/pull/4090 - Issue Tracking, Patch
References	~~() https://github.com/mojolicious/mojo/pull/2200 -~~	() https://github.com/mojolicious/mojo/pull/2200 - Issue Tracking, Patch

12 May 2025, 19:15

Type	Values Removed	Values Added
Summary	Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.	Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

03 May 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-03 16:15

Updated : 2025-06-17 14:15

NVD link : CVE-2024-58134

Mitre link : CVE-2024-58134

JSON object : View

Products Affected

mojolicious

mojolicious

CWE

No CWE.

JSON object

Attach tags to CVE-2024-58134

Attach tags to `CVE-2024-58134`