CVE-2024-58134

CVE-2024-58134: Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default

Vendor Sri
Product Mojolicious
Weakness CWE-321
Published May 3, 2025
Last update October 20, 2025

CVSS base score

What the vulnerability does

01Description

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

Key dates

02Disclosure timeline

May 3, 2025 CVE published
October 20, 2025 Record updated