Catalyst::Plugin::Authentication prior to version 0.10_027 fails to regenerate the session identifier after a user authenticates. This omission allows an attacker who has obtained a valid session cookie to continue using that session, effectively impersonating the authenticated user. The weakness is classified as CWE-384, indicating the failure to enforce session token binding to authentication events.

The vulnerability affects the Catalyst::Plugin::Authentication module for Perl versions earlier than 0.10_027. Users employing Catalyst::Plugin::Session or Catalyst::Plugin::Starch must invoke change_session_id after authentication. Users of Plack::Middleware::Session should enable the change_id flag once a user logs in. The patch referenced in the advisory addresses the underlying issue in the authentication module.

The CVSS score of 9.1 indicates a high likelihood of severe confidentiality, integrity, and availability impact if a session ID is fixed. The EPSS score of < 1% indicates a very low but nonzero probability of exploitation within a defined timeframe, and the vulnerability is not listed in CISA KEV. The attack requires the attacker to acquire a valid session cookie, which may be possible via network sniffing, cross-site scripting, or other side channels, and then reuse that cookie after the victim authenticates. The lack of a session ID rotation makes the exploitation straightforward if the adversary possesses a valid cookie.