Refine your search
4 vulnerabilities found for mojolicious by mojolicious
CVE-2024-58134 (GCVE-0-2024-58134)
Vulnerability from nvd
Published
2025-05-03 16:08
Modified
2025-10-20 20:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default.
These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SRI | Mojolicious |
Version: 0.999922 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T15:57:49.444238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T16:00:28.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Mojolicious",
"product": "Mojolicious",
"programFiles": [
"lib/Mojolicious.pm"
],
"programRoutines": [
{
"name": "secrets()"
}
],
"repo": "https://github.com/mojolicious/mojo",
"vendor": "SRI",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0.999922",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "Antoine Cervoise from Synacktiv"
},
{
"lang": "en",
"type": "analyst",
"value": "Jakub Kramarz"
},
{
"lang": "en",
"type": "analyst",
"value": "Lukas Atkinson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application\u0027s class name, as an HMAC session cookie secret by default.\u003cbr\u003e\u003cbr\u003eThese predictable default secrets can be exploited by an attacker to forge session cookies.\u0026nbsp; An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\u2019s session.\u003cbr\u003e"
}
],
"value": "Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application\u0027s class name, as an HMAC session cookie secret by default.\n\nThese predictable default secrets can be exploited by an attacker to forge session cookies.\u00a0 An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\u2019s session."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T20:09:00.882Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mojolicious/mojo/pull/1791"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mojolicious/mojo/pull/2200"
},
{
"tags": [
"technical-description"
],
"url": "https://www.synacktiv.com/publications/baking-mojolicious-cookies"
},
{
"tags": [
"technical-description"
],
"url": "https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/hashcat/hashcat/pull/4090"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00016.html"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00017.html"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00018.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mojolicious/mojo/pull/2252"
},
{
"tags": [
"technical-description"
],
"url": "https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application\u0027s class name, as an HMAC session cookie secret by default",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Ensure that your Mojolicious application uses a unique secret of at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command.\u003cbr\u003e"
}
],
"value": "Ensure that your Mojolicious application uses a unique secret of at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-58134",
"datePublished": "2025-05-03T16:08:55.042Z",
"dateReserved": "2025-04-07T16:06:37.226Z",
"dateUpdated": "2025-10-20T20:09:00.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58135 (GCVE-0-2024-58135)
Vulnerability from nvd
Published
2025-05-03 10:16
Modified
2025-10-20 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Summary
Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default
When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SRI | Mojolicious |
Version: 7.28 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58135",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T17:58:51.652027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T19:06:35.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Mojolicious",
"product": "Mojolicious",
"programFiles": [
"lib/Mojolicious/Command/Author/generate/app.pm",
"lib/Mojo/Util.pm",
"lib/Mojolicious/Command/generate/app.pm"
],
"programRoutines": [
{
"name": "Mojolicious::Command::Author::generate::app::run()"
},
{
"name": "Mojo::Util::generate_secret()"
}
],
"repo": "https://github.com/mojolicious/mojo",
"vendor": "SRI",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "7.28",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via \"mojo generate app\" by default\u003cbr\u003e\u003cbr\u003eWhen creating a default app skeleton with the \"mojo generate app\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys.\u003cbr\u003e"
}
],
"value": "Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via \"mojo generate app\" by default\n\nWhen creating a default app skeleton with the \"mojo generate app\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T20:09:18.816Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"related"
],
"url": "https://perldoc.perl.org/functions/rand"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mojolicious/mojo/pull/2200"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220"
},
{
"tags": [
"technical-description"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/hashcat/hashcat/pull/4090"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00016.html"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00017.html"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00018.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via \"mojo generate app\" by default",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Ensure that your secret, stored in the application\u0027s configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."
}
],
"value": "Ensure that your secret, stored in the application\u0027s configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "As of version 9.39 of Mojolicious, if the optional CryptX distribution version 0.080 or later is available in the include path before calling the \"mojo generate app\" tool, then a secure 1024 bit long secret will be generated.\u003cbr\u003e"
}
],
"value": "As of version 9.39 of Mojolicious, if the optional CryptX distribution version 0.080 or later is available in the include path before calling the \"mojo generate app\" tool, then a secure 1024 bit long secret will be generated."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-58135",
"datePublished": "2025-05-03T10:16:10.636Z",
"dateReserved": "2025-04-07T16:06:37.226Z",
"dateUpdated": "2025-10-20T20:09:18.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58134 (GCVE-0-2024-58134)
Vulnerability from cvelistv5
Published
2025-05-03 16:08
Modified
2025-10-20 20:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default.
These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SRI | Mojolicious |
Version: 0.999922 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T15:57:49.444238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T16:00:28.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Mojolicious",
"product": "Mojolicious",
"programFiles": [
"lib/Mojolicious.pm"
],
"programRoutines": [
{
"name": "secrets()"
}
],
"repo": "https://github.com/mojolicious/mojo",
"vendor": "SRI",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0.999922",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "Antoine Cervoise from Synacktiv"
},
{
"lang": "en",
"type": "analyst",
"value": "Jakub Kramarz"
},
{
"lang": "en",
"type": "analyst",
"value": "Lukas Atkinson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application\u0027s class name, as an HMAC session cookie secret by default.\u003cbr\u003e\u003cbr\u003eThese predictable default secrets can be exploited by an attacker to forge session cookies.\u0026nbsp; An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\u2019s session.\u003cbr\u003e"
}
],
"value": "Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application\u0027s class name, as an HMAC session cookie secret by default.\n\nThese predictable default secrets can be exploited by an attacker to forge session cookies.\u00a0 An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\u2019s session."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T20:09:00.882Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mojolicious/mojo/pull/1791"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mojolicious/mojo/pull/2200"
},
{
"tags": [
"technical-description"
],
"url": "https://www.synacktiv.com/publications/baking-mojolicious-cookies"
},
{
"tags": [
"technical-description"
],
"url": "https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/hashcat/hashcat/pull/4090"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00016.html"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00017.html"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00018.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mojolicious/mojo/pull/2252"
},
{
"tags": [
"technical-description"
],
"url": "https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application\u0027s class name, as an HMAC session cookie secret by default",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Ensure that your Mojolicious application uses a unique secret of at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command.\u003cbr\u003e"
}
],
"value": "Ensure that your Mojolicious application uses a unique secret of at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-58134",
"datePublished": "2025-05-03T16:08:55.042Z",
"dateReserved": "2025-04-07T16:06:37.226Z",
"dateUpdated": "2025-10-20T20:09:00.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58135 (GCVE-0-2024-58135)
Vulnerability from cvelistv5
Published
2025-05-03 10:16
Modified
2025-10-20 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Summary
Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default
When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SRI | Mojolicious |
Version: 7.28 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58135",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T17:58:51.652027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T19:06:35.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Mojolicious",
"product": "Mojolicious",
"programFiles": [
"lib/Mojolicious/Command/Author/generate/app.pm",
"lib/Mojo/Util.pm",
"lib/Mojolicious/Command/generate/app.pm"
],
"programRoutines": [
{
"name": "Mojolicious::Command::Author::generate::app::run()"
},
{
"name": "Mojo::Util::generate_secret()"
}
],
"repo": "https://github.com/mojolicious/mojo",
"vendor": "SRI",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "7.28",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via \"mojo generate app\" by default\u003cbr\u003e\u003cbr\u003eWhen creating a default app skeleton with the \"mojo generate app\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys.\u003cbr\u003e"
}
],
"value": "Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via \"mojo generate app\" by default\n\nWhen creating a default app skeleton with the \"mojo generate app\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T20:09:18.816Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"related"
],
"url": "https://perldoc.perl.org/functions/rand"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mojolicious/mojo/pull/2200"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220"
},
{
"tags": [
"technical-description"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/hashcat/hashcat/pull/4090"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00016.html"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00017.html"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00018.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via \"mojo generate app\" by default",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Ensure that your secret, stored in the application\u0027s configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."
}
],
"value": "Ensure that your secret, stored in the application\u0027s configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "As of version 9.39 of Mojolicious, if the optional CryptX distribution version 0.080 or later is available in the include path before calling the \"mojo generate app\" tool, then a secure 1024 bit long secret will be generated.\u003cbr\u003e"
}
],
"value": "As of version 9.39 of Mojolicious, if the optional CryptX distribution version 0.080 or later is available in the include path before calling the \"mojo generate app\" tool, then a secure 1024 bit long secret will be generated."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-58135",
"datePublished": "2025-05-03T10:16:10.636Z",
"dateReserved": "2025-04-07T16:06:37.226Z",
"dateUpdated": "2025-10-20T20:09:18.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}