CVE-2024-58135
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/05/2025
Last modified:
20/10/2025
Description
Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default<br />
<br />
When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application&#39;s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application&#39;s sessions. This may allow an attacker to brute force the application&#39;s session keys.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:* | 7.28 (including) | 9.40 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/hashcat/hashcat/pull/4090
- https://github.com/mojolicious/mojo/pull/2200
- https://lists.debian.org/debian-perl/2025/05/msg00016.html
- https://lists.debian.org/debian-perl/2025/05/msg00017.html
- https://lists.debian.org/debian-perl/2025/05/msg00018.html
- https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220
- https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181
- https://perldoc.perl.org/functions/rand
- https://security.metacpan.org/docs/guides/random-data-for-security.html