Description
Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
References (11)
Core 11
Core References
Issue Tracking issue-tracking
https://github.com/mojolicious/mojo/pull/2252
Issue Tracking, Patch issue-tracking
https://github.com/mojolicious/mojo/pull/1791
Issue Tracking, Patch issue-tracking
https://github.com/mojolicious/mojo/pull/2200
Exploit technical-description
https://www.synacktiv.com/publications/baking-mojolicious-cookies
Third Party Advisory technical-description
https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802
Issue Tracking, Patch exploit
https://github.com/hashcat/hashcat/pull/4090
Mailing List mailing-list
https://lists.debian.org/debian-perl/2025/05/msg00016.html
Mailing List mailing-list
https://lists.debian.org/debian-perl/2025/05/msg00017.html
Mailing List mailing-list
https://lists.debian.org/debian-perl/2025/05/msg00018.html
Various Sources technical-description
https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean
Scores
CVSS v3
8.1
EPSS
0.0044
EPSS Percentile
34.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-331
CWE-321
Status
published
Products (1)
mojolicious/mojolicious
0.999922 - 9.40
Published
May 03, 2025
Tracked Since
Feb 18, 2026