These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
Metrics
Affected Vendors & Products
Source | ID | Title |
---|---|---|
![]() |
EUVD-2025-13360 | Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. |
Solution
No solution given by the vendor.
Workaround
Ensure that your Mojolicious application uses a unique secret of at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the "openssl rand -base64 32" command.
Mon, 20 Oct 2025 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. | Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. |
Title | Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default | Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default |
References |
|
|
Tue, 17 Jun 2025 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Mojolicious
Mojolicious mojolicious |
|
CPEs | cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:* | |
Vendors & Products |
Mojolicious
Mojolicious mojolicious |
Mon, 12 May 2025 18:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. | Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. |
Title | Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default | Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default |
Mon, 12 May 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
Sat, 03 May 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. | |
Title | Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default | |
Weaknesses | CWE-321 CWE-331 |
|
References |
|
|

Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2025-10-20T20:09:00.882Z
Reserved: 2025-04-07T16:06:37.226Z
Link: CVE-2024-58134

Updated: 2025-05-12T16:00:24.352Z

Status : Modified
Published: 2025-05-03T16:15:19.310
Modified: 2025-10-20T20:15:36.697
Link: CVE-2024-58134

No data.

No data.