Remote Code Execution Vulnerability in Plack::Middleware::Session::Cookie by Perl
CVE-2014-125112

9.8CRITICAL

Key Information:

Vendor: Miyagawa
Status: Plack::middleware::session::cookie
Vendor: CVE Published:; 26 March 2026

What is CVE-2014-125112?

Plack::Middleware::Session::Cookie, in versions prior to 0.21, exposes a significant vulnerability that allows attackers to perform remote code execution. This security issue arises during the deserialization process of cookie data when no secret is used to sign the cookie, facilitating unauthorized access and manipulation of server-side code. It is crucial for users relying on this middleware to upgrade to the latest version to mitigate potential risks.

Affected Version(s)

Plack::Middleware::Session::Cookie 0 <= 0.21

References

https://gist.github.com/miyagawa/2b8764af908a0dacd43d

technical-description

https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Se...

release-notes

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Jul 8, 2025

Credit

mala (@bulkneets)

CVE-2014-125112 Data

JSON

Miyagawa

What is CVE-2014-125112?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit