QwikSec

Security Database

CVE

CWE

Training

CVE-2024-58134

Published: May 3, 2025

Modified: Oct 20, 2025

PUBLISHED

Description

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

Vendor	Product	Versions
SRI	Mojolicious	affected `0.999922 - <= *`

Weaknesses (CWE)

References

https://github.com/mojolicious/mojo/pull/1791

issue-tracking

https://github.com/mojolicious/mojo/pull/2200

issue-tracking

https://www.synacktiv.com/publications/baking-mojolicious-cookies

technical-description

https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802

technical-description

https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51

related

https://github.com/hashcat/hashcat/pull/4090

exploit

https://lists.debian.org/debian-perl/2025/05/msg00016.html

mailing-list

https://lists.debian.org/debian-perl/2025/05/msg00017.html

mailing-list

https://lists.debian.org/debian-perl/2025/05/msg00018.html

mailing-list

https://github.com/mojolicious/mojo/pull/2252

issue-tracking

https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean

technical-description

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.