Description
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.

Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Published: 2026-03-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Plack::Middleware::Session::Cookie until version 0.21 deserializes cookie data without verifying a secret. This flaw permits an attacker to embed malicious code in a cookie that, when processed by a legitimate application, causes the server to execute that code. The result is remote code execution, granting the attacker full control over the affected host.

Affected Systems

The Perl module MIYAGAWA::Plack::Middleware::Session::Cookie, versions 0.21 and earlier. End users running these versions on any platform that accepts HTTP cookies are vulnerable. The official fix is to upgrade to version 0.23 or later and configure the required 'secret' parameter; alternatively, simply setting a secret protects existing installations.

Risk and Exploitability

With a CVSS base score of 9.8 the flaw is considered critical. EPSS indicates the exploitation likelihood is currently below 1 %, and the vulnerability is not listed in CISA's KEV catalog. Nevertheless, the remote nature of the attack and the ability to trigger code execution via a crafted cookie make the risk high for exposed web applications. Attackers can deliver the cookie in HTTP requests to any vulnerable endpoint, assuming the application uses the module for session handling.

Generated by OpenCVE AI on March 26, 2026 at 16:51 UTC.

Remediation

Vendor Solution

Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the "secret" option.

Vendor Workaround

Set the "secret" option.

OpenCVE Recommended Actions

  • Apply vendor patch: upgrade Plack::Middleware::Session to 0.23 or later and set the "secret" option.
  • If upgrade is not immediately possible, configure the "secret" option to sign cookies and block unsafe deserialization.
  • Continue monitoring for exploitation attempts and apply future updates promptly.

Generated by OpenCVE AI on March 26, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Critical

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Miyagawa
Miyagawa plack::middleware::session::cookie
Vendors & Products Miyagawa
Miyagawa plack::middleware::session::cookie

Thu, 26 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Title Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution
Weaknesses CWE-565
References

Subscriptions

Miyagawa Plack::middleware::session::cookie
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-03-26T14:53:30.210Z

Reserved: 2025-07-08T15:24:38.840Z

Link: CVE-2014-125112

cve-icon Vulnrichment

Updated: 2026-03-26T04:46:57.862Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T03:16:00.423

Modified: 2026-03-26T15:16:26.460

Link: CVE-2014-125112

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-26T02:04:10Z

Links: CVE-2014-125112 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:58Z

Weaknesses