Vulnerability Description
Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mojolicious | Mojolicious | >= 7.28, <= 9.40 |
Related Weaknesses (CWE)
References
- https://github.com/hashcat/hashcat/pull/4090Issue TrackingPatch
- https://github.com/mojolicious/mojo/pull/2200ExploitIssue TrackingPatch
- https://lists.debian.org/debian-perl/2025/05/msg00016.html
- https://lists.debian.org/debian-perl/2025/05/msg00017.html
- https://lists.debian.org/debian-perl/2025/05/msg00018.html
- https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/CommandProduct
- https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/CommandProduct
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181Product
- https://perldoc.perl.org/functions/randProduct
- https://security.metacpan.org/docs/guides/random-data-for-security.htmlTechnical Description
FAQ
What is CVE-2024-58135?
CVE-2024-58135 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default When creating a default app skeleton with the "mojo generate app" tool, a wea...
How severe is CVE-2024-58135?
CVE-2024-58135 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-58135?
Check the references section above for vendor advisories and patch information. Affected products include: Mojolicious Mojolicious.