CVE-2018-25160

Severity CVSS v4.0:

Pending analysis

Type:

CWE-20 Input Validation

Publication date:

27/02/2026

Last modified:

28/02/2026

Description

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend.<br /> <br /> For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.

Impact

References to Advisories, Solutions, and Tools

https://github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59b941b5d3e6d.patch
https://metacpan.org/pod/Cache::Memcached::Fast::Safe
https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.10/source/Changes
http://www.openwall.com/lists/oss-security/2026/02/27/13