8.1 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default
Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
References
- https://github.com/mojolicious/mojo/pull/1791
- https://github.com/mojolicious/mojo/pull/2200
- https://www.synacktiv.com/publications/baking-mojolicious-cookies
- https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-o…
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51
- https://github.com/hashcat/hashcat/pull/4090
- https://github.com/mojolicious/mojo/pull/1791
- https://github.com/mojolicious/mojo/pull/2200
- https://www.synacktiv.com/publications/baking-mojolicious-cookies
- https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-o…
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51
- https://github.com/hashcat/hashcat/pull/4090
- https://github.com/mojolicious/mojo/pull/1791
- https://github.com/mojolicious/mojo/pull/2200
- https://www.synacktiv.com/publications/baking-mojolicious-cookies
- https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-o…
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51
- https://github.com/hashcat/hashcat/pull/4090
- https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-o… technical-description
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51 related
- https://github.com/hashcat/hashcat/pull/4090 exploit
- https://lists.debian.org/debian-perl/2025/05/msg00016.html mailing-list
- https://lists.debian.org/debian-perl/2025/05/msg00017.html mailing-list
- https://lists.debian.org/debian-perl/2025/05/msg00018.html mailing-list
- https://github.com/mojolicious/mojo/pull/2252 issue-tracking
- https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passp… technical-description
- https://github.com/mojolicious/mojo/pull/1791 issue-tracking
- https://github.com/mojolicious/mojo/pull/2200 issue-tracking
- https://www.synacktiv.com/publications/baking-mojolicious-cookies technical-description
Affected products
- =<*
- =<9.40
- =<9.39
Matching in nixpkgs
pkgs.perlPackages.Mojolicious
Real-time web framework
-
nixos-unstable -
- nixpkgs-unstable 9.39
pkgs.perl538Packages.Mojolicious
Real-time web framework
-
nixos-unstable -
- nixpkgs-unstable 9.39
pkgs.perl540Packages.Mojolicious
Real-time web framework
-
nixos-unstable -
- nixpkgs-unstable 9.39
pkgs.perlPackages.MojoliciousPluginI18N
Internationalization Plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable I18N-1.6
pkgs.perlPackages.MojoliciousPluginMail
Mojolicious Plugin for send mail
-
nixos-unstable -
- nixpkgs-unstable 1.5
pkgs.perlPackages.MojoliciousPluginStatus
Mojolicious server status
-
nixos-unstable -
- nixpkgs-unstable 1.17
pkgs.perlPackages.MojoliciousPluginSyslog
Plugin for enabling a Mojolicious app to log to syslog
-
nixos-unstable -
- nixpkgs-unstable 0.06
pkgs.perl538Packages.MojoliciousPluginI18N
Internationalization Plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable I18N-1.6
pkgs.perl538Packages.MojoliciousPluginMail
Mojolicious Plugin for send mail
-
nixos-unstable -
- nixpkgs-unstable 1.5
pkgs.perl540Packages.MojoliciousPluginI18N
Internationalization Plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable I18N-1.6
pkgs.perl540Packages.MojoliciousPluginMail
Mojolicious Plugin for send mail
-
nixos-unstable -
- nixpkgs-unstable 1.5
pkgs.perlPackages.MojoliciousPluginOpenAPI
OpenAPI / Swagger plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 5.09
pkgs.perlPackages.MojoliciousPluginWebpack
Mojolicious <3 Webpack
-
nixos-unstable -
- nixpkgs-unstable 1.02
pkgs.perlPackages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.04
pkgs.perl538Packages.MojoliciousPluginStatus
Mojolicious server status
-
nixos-unstable -
- nixpkgs-unstable 1.17
pkgs.perl538Packages.MojoliciousPluginSyslog
Plugin for enabling a Mojolicious app to log to syslog
-
nixos-unstable -
- nixpkgs-unstable 0.06
pkgs.perl540Packages.MojoliciousPluginStatus
Mojolicious server status
-
nixos-unstable -
- nixpkgs-unstable 1.17
pkgs.perl540Packages.MojoliciousPluginSyslog
Plugin for enabling a Mojolicious app to log to syslog
-
nixos-unstable -
- nixpkgs-unstable 0.06
pkgs.perlPackages.MojoliciousPluginAssetPack
Compress and convert css, less, sass, javascript and coffeescript files
-
nixos-unstable -
- nixpkgs-unstable 2.14
pkgs.perl538Packages.MojoliciousPluginOpenAPI
OpenAPI / Swagger plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 5.09
pkgs.perl538Packages.MojoliciousPluginWebpack
Mojolicious <3 Webpack
-
nixos-unstable -
- nixpkgs-unstable 1.02
pkgs.perl540Packages.MojoliciousPluginOpenAPI
OpenAPI / Swagger plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 5.09
pkgs.perl540Packages.MojoliciousPluginWebpack
Mojolicious <3 Webpack
-
nixos-unstable -
- nixpkgs-unstable 1.02
pkgs.perlPackages.MojoliciousPluginRenderFile
"render_file" helper for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.12
pkgs.perl538Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.04
pkgs.perl540Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.04
pkgs.perl538Packages.MojoliciousPluginAssetPack
Compress and convert css, less, sass, javascript and coffeescript files
-
nixos-unstable -
- nixpkgs-unstable 2.14
pkgs.perl540Packages.MojoliciousPluginAssetPack
Compress and convert css, less, sass, javascript and coffeescript files
-
nixos-unstable -
- nixpkgs-unstable 2.14
pkgs.perl538Packages.MojoliciousPluginRenderFile
"render_file" helper for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.12
pkgs.perl540Packages.MojoliciousPluginRenderFile
"render_file" helper for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.12
pkgs.perlPackages.MojoliciousPluginTextExceptions
Render exceptions as text in command line user agents
-
nixos-unstable -
- nixpkgs-unstable 0.02
pkgs.perlPackages.MojoliciousPluginTemplateToolkit
Template Toolkit renderer plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.006
pkgs.perl538Packages.MojoliciousPluginTextExceptions
Render exceptions as text in command line user agents
-
nixos-unstable -
- nixpkgs-unstable 0.02
pkgs.perl540Packages.MojoliciousPluginTextExceptions
Render exceptions as text in command line user agents
-
nixos-unstable -
- nixpkgs-unstable 0.02
pkgs.perl538Packages.MojoliciousPluginTemplateToolkit
Template Toolkit renderer plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.006
pkgs.perl540Packages.MojoliciousPluginTemplateToolkit
Template Toolkit renderer plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.006
Package maintainers
-
@thoughtpolice Austin Seipp <aseipp@pobox.com>
-
@marcusramberg Marcus Ramberg <marcus@means.no>
-
@stigtsp Stig Palmquist <stig@stig.io>
-
@TomaSajt TomaSajt