CVE-2024-58134: Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default
Breno Oliveira 03 May 2025 16:11 UTC
========================================================================
CVE-2024-58134 CPAN Security Group
========================================================================
CVE ID: CVE-2024-58134
Distribution: Mojolicious
Versions: from 0.999922 through 9.39
MetaCPAN: https://metacpan.org/dist/Mojolicious
VCS Repo: https://github.com/mojolicious/mojo
Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard
coded string, or the application's class name, as a HMAC session secret
by default
Description
-----------
Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard
coded string, or the application's class name, as a HMAC session secret
by default.
These predictable default secrets can be exploited to forge session
cookies. An attacker who knows or guesses the secret could compute
valid HMAC signatures for the session cookie, allowing them to tamper
with or hijack another user’s session.
Problem types
-------------
CWE-321 Use of Hard-coded Cryptographic Key
CWE-331 Insufficient Entropy
Workarounds
-----------
Ensure that your Mojolicious application uses a unique secret of at
least 128 bit of cryptographically secure random data. For example, to
generate a 256 bit secret, one could use the output generated by the
"openssl rand -base64 32" command.
References
----------
https://github.com/mojolicious/mojo/pull/1791
https://github.com/mojolicious/mojo/pull/2200
https://www.synacktiv.com/publications/baking-mojolicious-cookies
https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802
https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51
https://github.com/hashcat/hashcat/pull/4090
