Vulnerability Description
HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tokuhirom | Http\ | <= 1.09, \ |
Related Weaknesses (CWE)
References
- https://github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59bPatch
- https://metacpan.org/pod/Cache::Memcached::Fast::SafeThird Party Advisory
- https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.10/source/ChangesProductRelease Notes
- http://www.openwall.com/lists/oss-security/2026/02/27/13Mailing ListThird Party Advisory
FAQ
What is CVE-2018-25160?
CVE-2018-25160 is a vulnerability with a CVSS score of 6.5 (MEDIUM). HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an appli...
How severe is CVE-2018-25160?
CVE-2018-25160 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-25160?
Check the references section above for vendor advisories and patch information. Affected products include: Tokuhirom Http\.