Vulnerability Description
Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mojolicious | Mojolicious | >= 0.999922, <= 9.40 |
Related Weaknesses (CWE)
References
- https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passph
- https://github.com/hashcat/hashcat/pull/4090Issue TrackingPatch
- https://github.com/mojolicious/mojo/pull/1791Issue TrackingPatch
- https://github.com/mojolicious/mojo/pull/2200Issue TrackingPatch
- https://github.com/mojolicious/mojo/pull/2252
- https://lists.debian.org/debian-perl/2025/05/msg00016.html
- https://lists.debian.org/debian-perl/2025/05/msg00017.html
- https://lists.debian.org/debian-perl/2025/05/msg00018.html
- https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-ofThird Party Advisory
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51Product
- https://www.synacktiv.com/publications/baking-mojolicious-cookiesExploit
FAQ
What is CVE-2024-58134?
CVE-2024-58134 is a vulnerability with a CVSS score of 8.1 (HIGH). Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited ...
How severe is CVE-2024-58134?
CVE-2024-58134 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-58134?
Check the references section above for vendor advisories and patch information. Affected products include: Mojolicious Mojolicious.