HMAC Session Secret Exposure in Mojolicious Web Framework by Perl
CVE-2024-58134

8.1HIGH

Key Information:

Vendor

Sri

Vendor
CVE Published:
3 May 2025

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2024-58134?

The Mojolicious web framework for Perl features a significant vulnerability where it employs a hardcoded string or the application's class name as the default HMAC session secret. This predictability can be manipulated by attackers who can guess or know the secret, enabling them to create valid HMAC signatures for session cookies. As a result, unauthorized users could potentially hijack or tamper with legitimate user sessions, compromising the integrity and confidentiality of user data.

Affected Version(s)

Mojolicious 0.999922

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.