Unrated severityNVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2009-10007

Description

Catalyst::Plugin::Authentication before 0.10_027 is vulnerable to session fixation by not rotating session IDs after authentication.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Catalyst::Plugin::Authentication before 0.10_027 is vulnerable to session fixation by not rotating session IDs after authentication.

Vulnerability

Catalyst::Plugin::Authentication versions prior to 0.10_027 for Perl are susceptible to session fixation attacks. The vulnerability exists because the plugin does not automatically change the session ID after a user has been authenticated. This allows an attacker to potentially hijack a user's session.

Exploitation

An attacker can exploit this vulnerability by obtaining a victim's valid session ID cookie. Once the attacker has the session ID, they can use it to impersonate the victim by sending requests to the application with the stolen session ID. No other user interaction or special privileges are required beyond obtaining the session ID.

Impact

Successful exploitation of this vulnerability allows an attacker to impersonate a legitimate user, gaining access to the victim's session data and potentially performing actions on behalf of the victim. This could lead to unauthorized access to sensitive information or unauthorized modification of data within the compromised session.

Mitigation

This vulnerability is addressed in Catalyst::Plugin::Authentication version 0.10_027, which includes a rotate_session_id setting to change the session ID upon authentication. This fix was released on June 7, 2026 [3]. Users are advised to upgrade to this version or later. No workarounds are mentioned in the available references if upgrading is not immediately possible.

References

https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b1385ea87a2491b64f33169222af19982d0acce3.patch

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Perl Catalyst/Catalyst Plugin Authenticationllm-fuzzy
Range: <0.10_027

Patches

77a5824985d4

Release commit for 0.10_027

https://github.com/perl-catalyst/catalyst-plugin-authenticationKaren EtheridgeJun 7, 2026via github-commit-search

commit

1 file changed · +1 −0

Changes+1 −0 modified

@@ -1,5 +1,6 @@
 Revision history for Perl extension Catalyst::Plugin::Authentication
 
+0.10_027 - 2026-06-07
     - When used with Catalyst::Plugin::Session, rotate the session id after a
       successful login to avoid session fixation attacks (CVE-2009-10007).

b1385ea87a24

add rotate_session_id setting to rotate session id on auth

https://github.com/perl-catalyst/catalyst-plugin-authenticationGraham KnopJun 7, 2026via body-scan

commit

5 files changed · +37 −3

lib/Catalyst/Authentication/Realm.pm+15 −0 modified

@@ -26,6 +26,14 @@ sub new {
         }
     }
 
+    if (!exists($self->config->{'rotate_session_id'})) {
+        if (exists($app->config->{'Plugin::Authentication'}{'rotate_session_id'})) {
+            $self->config->{'rotate_session_id'} = $app->config->{'Plugin::Authentication'}{'rotate_session_id'};
+        } else {
+            $self->config->{'rotate_session_id'} = 1;
+        }
+    }
+
     $app->log->debug("Setting up auth realm $realmname") if $app->debug;
 
     $self->setup_store($app);
@@ -238,6 +246,13 @@ sub persist_user {
         and $self->config->{'use_session'}
         and $user->supports("session")
     ) {
+        if (
+            $self->config->{rotate_session_id}
+            and $c->session_is_valid
+        ) {
+            $c->change_session_id;
+        }
+
         $c->session->{__user_realm} = $self->name;
 
         # we want to ask the store for a user prepared for the session.

lib/Catalyst/Plugin/Authentication.pm+6 −0 modified

@@ -814,6 +814,12 @@ prevent accidental session creation, check if a session already exists with
 if ($c->sessionid) { ... }. If the session doesn't exist, then don't place
 anything in the session to prevent an unecessary session from being created.
 
+=item rotate_session_id
+
+Whether or not to rotate the session ID when authenticating as a new user. This
+mitigates session-fixation attacks (L<CWE-384|https://cwe.mitre.org/data/definitions/384.html>).
+This requires L<Catalyst::Plugin::Session> version 0.25. This value is set to true by default.
+
 =item default_realm
 
 This defines which realm should be used as when no realm is provided to methods

Makefile.PL+1 −1 modified

@@ -34,7 +34,7 @@ my %META = (
         'Test::Pod::Coverage' => '1.04',
         'Test::NoTabs' => 0,
         'Test::EOL' => 0,
-        'Catalyst::Plugin::Session' => '0.10',
+        'Catalyst::Plugin::Session' => '0.25',
         'Catalyst::Plugin::Session::State::Cookie' => 0,
         'Digest::SHA' => 0,
       },

t/lib/AuthSessionTestApp/Controller/Root.pm+14 −1 modified

@@ -72,5 +72,18 @@ sub butterfly : Local {
     ok( !$c->user, "no user object either" );
 }
 
-1;
+sub octopus : Local {
+    my ( $self, $c ) = @_;
+
+    my $session_id = $c->sessionid;
+    ok($session_id, "have session id");
+    ok(!$c->user_exists, "no user exists");
+    ok(!$c->user, "no user yet");
+    ok($c->login( "bar", "s3cr3t" ), "can login with clear");
+    is( $c->user, $AuthSessionTestApp::users->{bar}, "user object is in proper place");
+    my $new_session_id = $c->sessionid;
+    ok($new_session_id, "have session id");
+    isnt($new_session_id, $session_id, "session id has changed");
+}
 
+1;

t/live_app_session.t+1 −1 modified

@@ -39,7 +39,7 @@ ok +$res->is_success, 'get ok';
 $res = _request('/yak');
 ok !$res->is_success, 'Not ok, user unable to be resotred == nasal demons';
 
-foreach my $type (qw/ goat fluffy_bunny possum butterfly /) {
+foreach my $type (qw/ goat fluffy_bunny possum butterfly octopus/) {
     $res = _request("/$type");
     ok +$res->is_success, "get $type ok";
 }

Vulnerability mechanics

Root cause

"The plugin does not automatically change the session ID after a user authenticates, allowing session fixation."

Attack vector

An attacker can obtain a valid session ID cookie from a victim. By presenting this session ID to the application before the victim logs in, the attacker can hijack the victim's authenticated session after they log in. This is possible because Catalyst::Plugin::Authentication does not automatically rotate the session ID upon successful authentication [ref_id=1].

Affected code

The vulnerability lies within the `persist_user` method in `lib/Catalyst/Authentication/Realm.pm`. This method is responsible for handling user persistence after authentication. The patch modifies this method to include a check for the `rotate_session_id` configuration and calls `$c->change_session_id` if the condition is met [patch_id=5322831].

What the fix does

The patch introduces a new configuration option `rotate_session_id` which, when enabled, causes the session ID to be changed after a successful login [patch_id=5322831]. This change prevents attackers from fixing a session ID and then using it to impersonate a user, thereby mitigating session fixation attacks [ref_id=1]. The default value for this setting is true, and it requires Catalyst::Plugin::Session version 0.25 or higher.

Preconditions

configCatalyst::Plugin::Authentication must be configured to use sessions.
configCatalyst::Plugin::Session must be installed and configured.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000