{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2014-125112", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2025-07-08T15:24:38.840Z", "datePublished": "2026-03-26T02:04:10.267Z", "dateUpdated": "2026-03-26T14:53:30.210Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Plack-Middleware-Session", "product": "Plack::Middleware::Session::Cookie", "repo": "https://github.com/plack/Plack-Middleware-Session", "vendor": "MIYAGAWA", "versions": [{"lessThanOrEqual": "0.21", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "mala (@bulkneets)"}], "descriptions": [{"lang": "en", "value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-565", "description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-26T02:04:10.267Z"}, "references": [{"tags": ["technical-description"], "url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"}, {"tags": ["release-notes"], "url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"}], "solutions": [{"lang": "en", "value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Vulnerability disclosed by MIYAGAWA."}, {"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Version 0.22 released that warns when the \"secret\" option is not set."}, {"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."}, {"lang": "en", "time": "2014-09-05T00:00:00.000Z", "value": "Version 0.24 released. Same as 0.23 but not a trial release."}, {"lang": "en", "time": "2016-02-03T00:00:00.000Z", "value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."}, {"lang": "en", "time": "2019-01-26T00:00:00.000Z", "value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"}, {"lang": "en", "time": "2019-03-09T00:00:00.000Z", "value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"}, {"lang": "en", "time": "2025-07-08T00:00:00.000Z", "value": "CVE-2014-125112 assigned by CPANSec."}], "title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution", "workarounds": [{"lang": "en", "value": "Set the \"secret\" option."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-26T04:46:57.862Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:52:33.130571Z", "id": "CVE-2014-125112", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:53:30.210Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-26T04:46:57.862Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2014-125112", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T14:52:33.130571Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:52:42.675Z"}}], "cna": {"title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "mala (@bulkneets)"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"repo": "https://github.com/plack/Plack-Middleware-Session", "vendor": "MIYAGAWA", "product": "Plack::Middleware::Session::Cookie", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.21"}], "packageName": "Plack-Middleware-Session", "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Vulnerability disclosed by MIYAGAWA."}, {"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Version 0.22 released that warns when the \"secret\" option is not set."}, {"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."}, {"lang": "en", "time": "2014-09-05T00:00:00.000Z", "value": "Version 0.24 released. Same as 0.23 but not a trial release."}, {"lang": "en", "time": "2016-02-03T00:00:00.000Z", "value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."}, {"lang": "en", "time": "2019-01-26T00:00:00.000Z", "value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"}, {"lang": "en", "time": "2019-03-09T00:00:00.000Z", "value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"}, {"lang": "en", "time": "2025-07-08T00:00:00.000Z", "value": "CVE-2014-125112 assigned by CPANSec."}], "solutions": [{"lang": "en", "value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."}], "references": [{"url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d", "tags": ["technical-description"]}, {"url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes", "tags": ["release-notes"]}], "workarounds": [{"lang": "en", "value": "Set the \"secret\" option."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-565", "description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-26T02:04:10.267Z"}}}, "cveMetadata": {"cveId": "CVE-2014-125112", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:53:30.210Z", "dateReserved": "2025-07-08T15:24:38.840Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-03-26T02:04:10.267Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."}], "id": "CVE-2014-125112", "lastModified": "2026-03-26T15:16:26.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T03:16:00.423", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-565"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.21]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Plack::Middleware::Session::Cookie", "source": "cna", "vendor": "MIYAGAWA"}, "product": "plack::middleware::session::cookie", "vendor": "miyagawa"}], "analysis": {"en": {"generated_at": "2026-03-26T03:09:13.021307+00:00", "value": {"mitigation_remediation": ["Upgrade Plack::Middleware::Session to version 0.23 or later and configure the \"secret\" option.", "If upgrade not possible, set the \"secret\" option in the current configuration as a temporary workaround."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Plack::Middleware::Session::Cookie, developed by MIYAGAWA, and it includes all releases up to and including version 0.21. Systems running Perl applications that employ this middleware and have not upgraded to at least version 0.23, or have not set the \"secret\" option, are vulnerable.", "description_and_impact": "Plack::Middleware::Session::Cookie, versions 0.20 and 0.21 for Perl, contain a flaw that permits arbitrary code execution during the deserialization of session cookies that lack a secret signature. Because the middleware trusts the cookie data, an attacker can supply a manipulated cookie and cause the server to execute code of the attacker's choosing. The weakness is a form of insecure deserialization (CWE\u2011565).", "risk_and_exploitability": "Remote code execution vulnerabilities typically have a high severity, yet the CVSS score is not explicitly provided in the data. EPSS information is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting no documented public exploits at the time of disclosure. The likelihood of exploitation depends on whether an application accepts unauthenticated or user\u2011controlled session cookies; if such cookies are used, an attacker can craft a malicious cookie and trigger code execution. Organizations should treat this as an urgent risk and apply the recommended patch."}}}}, "created": "2026-03-26T11:30:46.269850+00:00", "updated": "2026-03-26T12:08:47.510034+00:00", "vendors": ["miyagawa", "miyagawa$PRODUCT$plack::middleware::session::cookie"]}