Description
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely.

The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID.

These are predictable or low-entropy sources that are unsuitable for security purposes.
Published: 2026-06-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw causes session identifiers to be generated using a SHA‑1 hash seeded with low‑entropy data such as the built‑in rand value, current epoch time, a heap address of an anonymous hash, and the process ID. Because the inputs lack sufficient entropy and the hash function is not cryptographically secure for ID generation, an attacker can anticipate or brute‑force valid session identifiers, enabling session hijacking or fixation. The weakness falls under insufficient random number generation (CWE‑340) and weak cryptographic strength (CWE‑338).

Affected Systems

The vulnerability affects the HAYAJO Mojolicious::Sessions::Storable Perl module, specifically versions up to and including 0.05. Any application that relies on this module for session management is at risk unless it has been updated beyond 0.05.

Risk and Exploitability

The CVSS score of 5.3 signifies a moderate severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Based on the description, the likely attack vector is local or remote web application access; a motivated attacker could generate or guess session IDs with only knowledge of the algorithm and minimal setup, particularly in environments where session IDs are transmitted over the network.

Generated by OpenCVE AI on June 18, 2026 at 22:04 UTC.

Remediation

Vendor Workaround

Apply the patch, which requires an upgrade to Mojolicious 9.46 or later.


OpenCVE Recommended Actions

  • Apply the patch by upgrading to Mojolicious 9.46 or later, as specified by the official workaround.
  • Replace the default session‑id generator with a cryptographically secure random number source that provides high entropy, ensuring that future session IDs cannot be predicted.
  • Review and harden session‑management configuration: remove session identifiers from URLs and logs, enforce the Secure and HttpOnly flags on session cookies, and consider using server‑side session binding to mitigate hijacking.

Generated by OpenCVE AI on June 18, 2026 at 22:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Hayajo
Hayajo mojolicious::sessions::storable
Vendors & Products Hayajo
Hayajo mojolicious::sessions::storable

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.
Title Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely
Weaknesses CWE-338
CWE-340
References

Subscriptions

Hayajo Mojolicious::sessions::storable
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-18T18:47:32.577Z

Reserved: 2026-05-27T10:52:01.931Z

Link: CVE-2026-9692

cve-icon Vulnrichment

Updated: 2026-06-18T18:47:18.296Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:55:51Z

Weaknesses
  • CWE-338

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-340

    Generation of Predictable Numbers or Identifiers