Unrated severityNVD Advisory· Published May 3, 2025· Updated Oct 20, 2025
Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default
CVE-2024-58134
Description
Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default.
These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: >=0.999922
- SRI/Mojoliciousv5Range: 0.999922
Patches
Vulnerability mechanics
References
11- github.com/hashcat/hashcat/pull/4090mitreexploit
- docs.mojolicious.org/Mojolicious/Guides/FAQmitretechnical-description
- github.com/mojolicious/mojo/pull/1791mitreissue-tracking
- github.com/mojolicious/mojo/pull/2200mitreissue-tracking
- github.com/mojolicious/mojo/pull/2252mitreissue-tracking
- lists.debian.org/debian-perl/2025/05/msg00016.htmlmitremailing-list
- lists.debian.org/debian-perl/2025/05/msg00017.htmlmitremailing-list
- lists.debian.org/debian-perl/2025/05/msg00018.htmlmitremailing-list
- medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802mitretechnical-description
- metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pmmitrerelated
- www.synacktiv.com/publications/baking-mojolicious-cookiesmitretechnical-description
News mentions
0No linked articles in our index yet.