CVE-2024-58135

Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

CVSS

No CVSS.

References

Link	Resource
https://github.com/hashcat/hashcat/pull/4090	Issue Tracking Patch
https://github.com/mojolicious/mojo/pull/2200	Exploit Issue Tracking Patch
https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220	Product
https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202	Product
https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181	Product
https://perldoc.perl.org/functions/rand	Product
https://security.metacpan.org/docs/guides/random-data-for-security.html	Technical Description

Configurations

Configuration 1 (hide)

cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:*

History

17 Jun 2025, 14:16

Type	Values Removed	Values Added
First Time		Mojolicious Mojolicious mojolicious
CPE		cpe:2.3:a:mojolicious:mojolicious::::::perl::*
References	~~() https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220 -~~	() https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220 - Product
References	~~() https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181 -~~	() https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181 - Product
References	~~() https://perldoc.perl.org/functions/rand -~~	() https://perldoc.perl.org/functions/rand - Product
References	~~() https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202 -~~	() https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202 - Product
References	~~() https://github.com/hashcat/hashcat/pull/4090 -~~	() https://github.com/hashcat/hashcat/pull/4090 - Issue Tracking, Patch
References	~~() https://github.com/mojolicious/mojo/pull/2200 -~~	() https://github.com/mojolicious/mojo/pull/2200 - Exploit, Issue Tracking, Patch
References	~~() https://security.metacpan.org/docs/guides/random-data-for-security.html -~~	() https://security.metacpan.org/docs/guides/random-data-for-security.html - Technical Description

12 May 2025, 19:15

Type	Values Removed	Values Added
Summary	Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.	Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

03 May 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-03 11:15

Updated : 2025-06-17 14:16

NVD link : CVE-2024-58135

Mitre link : CVE-2024-58135

JSON object : View

Products Affected

mojolicious

mojolicious

CWE

No CWE.

JSON object

Attach tags to CVE-2024-58135

Attach tags to `CVE-2024-58135`