5.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): NONE
- Availability impact (A): NONE
Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets
Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
References
- https://perldoc.perl.org/functions/rand
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181
- https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Comman…
- https://github.com/mojolicious/mojo/pull/2200
- https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Comman…
- https://security.metacpan.org/docs/guides/random-data-for-security.html
- https://github.com/hashcat/hashcat/pull/4090
- https://security.metacpan.org/docs/guides/random-data-for-security.html
- https://github.com/hashcat/hashcat/pull/4090
- https://perldoc.perl.org/functions/rand
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181
- https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Comman…
- https://github.com/mojolicious/mojo/pull/2200
- https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Comman…
- https://perldoc.perl.org/functions/rand
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181
- https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Comman…
- https://github.com/mojolicious/mojo/pull/2200
- https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Comman…
- https://security.metacpan.org/docs/guides/random-data-for-security.html
- https://github.com/hashcat/hashcat/pull/4090
- https://perldoc.perl.org/functions/rand related
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181 related
- https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Comman… related
- https://github.com/mojolicious/mojo/pull/2200 issue-tracking
- https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Comman… related
- https://security.metacpan.org/docs/guides/random-data-for-security.html technical-description
- https://github.com/hashcat/hashcat/pull/4090 exploit
- https://lists.debian.org/debian-perl/2025/05/msg00016.html mailing-list
- https://lists.debian.org/debian-perl/2025/05/msg00017.html mailing-list
- https://lists.debian.org/debian-perl/2025/05/msg00018.html mailing-list
Affected products
- =<*
- =<9.40
- =<9.39
Matching in nixpkgs
pkgs.perlPackages.Mojolicious
Real-time web framework
-
nixos-unstable -
- nixpkgs-unstable 9.39
pkgs.perl538Packages.Mojolicious
Real-time web framework
-
nixos-unstable -
- nixpkgs-unstable 9.39
pkgs.perl540Packages.Mojolicious
Real-time web framework
-
nixos-unstable -
- nixpkgs-unstable 9.39
pkgs.perlPackages.MojoliciousPluginI18N
Internationalization Plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable I18N-1.6
pkgs.perlPackages.MojoliciousPluginMail
Mojolicious Plugin for send mail
-
nixos-unstable -
- nixpkgs-unstable 1.5
pkgs.perlPackages.MojoliciousPluginStatus
Mojolicious server status
-
nixos-unstable -
- nixpkgs-unstable 1.17
pkgs.perlPackages.MojoliciousPluginSyslog
Plugin for enabling a Mojolicious app to log to syslog
-
nixos-unstable -
- nixpkgs-unstable 0.06
pkgs.perl538Packages.MojoliciousPluginI18N
Internationalization Plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable I18N-1.6
pkgs.perl538Packages.MojoliciousPluginMail
Mojolicious Plugin for send mail
-
nixos-unstable -
- nixpkgs-unstable 1.5
pkgs.perl540Packages.MojoliciousPluginI18N
Internationalization Plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable I18N-1.6
pkgs.perl540Packages.MojoliciousPluginMail
Mojolicious Plugin for send mail
-
nixos-unstable -
- nixpkgs-unstable 1.5
pkgs.perlPackages.MojoliciousPluginOpenAPI
OpenAPI / Swagger plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 5.09
pkgs.perlPackages.MojoliciousPluginWebpack
Mojolicious <3 Webpack
-
nixos-unstable -
- nixpkgs-unstable 1.02
pkgs.perlPackages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.04
pkgs.perl538Packages.MojoliciousPluginStatus
Mojolicious server status
-
nixos-unstable -
- nixpkgs-unstable 1.17
pkgs.perl538Packages.MojoliciousPluginSyslog
Plugin for enabling a Mojolicious app to log to syslog
-
nixos-unstable -
- nixpkgs-unstable 0.06
pkgs.perl540Packages.MojoliciousPluginStatus
Mojolicious server status
-
nixos-unstable -
- nixpkgs-unstable 1.17
pkgs.perl540Packages.MojoliciousPluginSyslog
Plugin for enabling a Mojolicious app to log to syslog
-
nixos-unstable -
- nixpkgs-unstable 0.06
pkgs.perlPackages.MojoliciousPluginAssetPack
Compress and convert css, less, sass, javascript and coffeescript files
-
nixos-unstable -
- nixpkgs-unstable 2.14
pkgs.perl538Packages.MojoliciousPluginOpenAPI
OpenAPI / Swagger plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 5.09
pkgs.perl538Packages.MojoliciousPluginWebpack
Mojolicious <3 Webpack
-
nixos-unstable -
- nixpkgs-unstable 1.02
pkgs.perl540Packages.MojoliciousPluginOpenAPI
OpenAPI / Swagger plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 5.09
pkgs.perl540Packages.MojoliciousPluginWebpack
Mojolicious <3 Webpack
-
nixos-unstable -
- nixpkgs-unstable 1.02
pkgs.perlPackages.MojoliciousPluginRenderFile
"render_file" helper for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.12
pkgs.perl538Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.04
pkgs.perl540Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.04
pkgs.perl538Packages.MojoliciousPluginAssetPack
Compress and convert css, less, sass, javascript and coffeescript files
-
nixos-unstable -
- nixpkgs-unstable 2.14
pkgs.perl540Packages.MojoliciousPluginAssetPack
Compress and convert css, less, sass, javascript and coffeescript files
-
nixos-unstable -
- nixpkgs-unstable 2.14
pkgs.perl538Packages.MojoliciousPluginRenderFile
"render_file" helper for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.12
pkgs.perl540Packages.MojoliciousPluginRenderFile
"render_file" helper for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.12
pkgs.perlPackages.MojoliciousPluginTextExceptions
Render exceptions as text in command line user agents
-
nixos-unstable -
- nixpkgs-unstable 0.02
pkgs.perlPackages.MojoliciousPluginTemplateToolkit
Template Toolkit renderer plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.006
pkgs.perl538Packages.MojoliciousPluginTextExceptions
Render exceptions as text in command line user agents
-
nixos-unstable -
- nixpkgs-unstable 0.02
pkgs.perl540Packages.MojoliciousPluginTextExceptions
Render exceptions as text in command line user agents
-
nixos-unstable -
- nixpkgs-unstable 0.02
pkgs.perl538Packages.MojoliciousPluginTemplateToolkit
Template Toolkit renderer plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.006
pkgs.perl540Packages.MojoliciousPluginTemplateToolkit
Template Toolkit renderer plugin for Mojolicious
-
nixos-unstable -
- nixpkgs-unstable 0.006
Package maintainers
-
@thoughtpolice Austin Seipp <aseipp@pobox.com>
-
@marcusramberg Marcus Ramberg <marcus@means.no>
-
@stigtsp Stig Palmquist <stig@stig.io>
-
@TomaSajt TomaSajt