Vulnerability Details CVE-2024-58135
Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default
When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 31.6%
CVSS Severity
CVSS v3 Score 5.3
References
- https://github.com/hashcat/hashcat/pull/4090
- https://github.com/mojolicious/mojo/pull/2200
- https://lists.debian.org/debian-perl/2025/05/msg00016.html
- https://lists.debian.org/debian-perl/2025/05/msg00017.html
- https://lists.debian.org/debian-perl/2025/05/msg00018.html
- https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220
- https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181
- https://perldoc.perl.org/functions/rand
- https://security.metacpan.org/docs/guides/random-data-for-security.html
Products affected by CVE-2024-58135
-
cpe:2.3:a:mojolicious:mojolicious:7.28
-
cpe:2.3:a:mojolicious:mojolicious:7.29
-
cpe:2.3:a:mojolicious:mojolicious:7.30
-
cpe:2.3:a:mojolicious:mojolicious:7.31
-
cpe:2.3:a:mojolicious:mojolicious:7.32
-
cpe:2.3:a:mojolicious:mojolicious:7.33
-
cpe:2.3:a:mojolicious:mojolicious:7.34
-
cpe:2.3:a:mojolicious:mojolicious:7.35
-
cpe:2.3:a:mojolicious:mojolicious:7.36
-
cpe:2.3:a:mojolicious:mojolicious:7.37
-
cpe:2.3:a:mojolicious:mojolicious:7.38
-
cpe:2.3:a:mojolicious:mojolicious:7.39
-
cpe:2.3:a:mojolicious:mojolicious:7.40
-
cpe:2.3:a:mojolicious:mojolicious:7.41
-
cpe:2.3:a:mojolicious:mojolicious:7.42
-
cpe:2.3:a:mojolicious:mojolicious:7.43
-
cpe:2.3:a:mojolicious:mojolicious:7.44
-
cpe:2.3:a:mojolicious:mojolicious:7.45
-
cpe:2.3:a:mojolicious:mojolicious:7.46
-
cpe:2.3:a:mojolicious:mojolicious:7.47
-
cpe:2.3:a:mojolicious:mojolicious:7.48
-
cpe:2.3:a:mojolicious:mojolicious:7.49
-
cpe:2.3:a:mojolicious:mojolicious:7.50
-
cpe:2.3:a:mojolicious:mojolicious:7.51
-
cpe:2.3:a:mojolicious:mojolicious:7.52
-
cpe:2.3:a:mojolicious:mojolicious:7.53
-
cpe:2.3:a:mojolicious:mojolicious:7.54
-
cpe:2.3:a:mojolicious:mojolicious:7.55
-
cpe:2.3:a:mojolicious:mojolicious:7.56
-
cpe:2.3:a:mojolicious:mojolicious:7.57
-
cpe:2.3:a:mojolicious:mojolicious:7.58
-
cpe:2.3:a:mojolicious:mojolicious:7.59
-
cpe:2.3:a:mojolicious:mojolicious:7.60
-
cpe:2.3:a:mojolicious:mojolicious:7.61
-
cpe:2.3:a:mojolicious:mojolicious:7.62
-
cpe:2.3:a:mojolicious:mojolicious:7.63
-
cpe:2.3:a:mojolicious:mojolicious:7.64
-
cpe:2.3:a:mojolicious:mojolicious:7.65
-
cpe:2.3:a:mojolicious:mojolicious:7.66
-
cpe:2.3:a:mojolicious:mojolicious:7.67
-
cpe:2.3:a:mojolicious:mojolicious:7.68
-
cpe:2.3:a:mojolicious:mojolicious:7.69
-
cpe:2.3:a:mojolicious:mojolicious:7.70
-
cpe:2.3:a:mojolicious:mojolicious:7.71
-
cpe:2.3:a:mojolicious:mojolicious:7.72
-
cpe:2.3:a:mojolicious:mojolicious:7.73
-
cpe:2.3:a:mojolicious:mojolicious:7.74
-
cpe:2.3:a:mojolicious:mojolicious:7.75
-
cpe:2.3:a:mojolicious:mojolicious:7.76
-
cpe:2.3:a:mojolicious:mojolicious:7.77
-
cpe:2.3:a:mojolicious:mojolicious:7.78
-
cpe:2.3:a:mojolicious:mojolicious:7.79
-
cpe:2.3:a:mojolicious:mojolicious:7.80
-
cpe:2.3:a:mojolicious:mojolicious:7.81
-
cpe:2.3:a:mojolicious:mojolicious:7.82
-
cpe:2.3:a:mojolicious:mojolicious:7.83
-
cpe:2.3:a:mojolicious:mojolicious:7.84
-
cpe:2.3:a:mojolicious:mojolicious:7.85
-
cpe:2.3:a:mojolicious:mojolicious:7.86
-
cpe:2.3:a:mojolicious:mojolicious:7.87
-
cpe:2.3:a:mojolicious:mojolicious:7.88
-
cpe:2.3:a:mojolicious:mojolicious:7.89
-
cpe:2.3:a:mojolicious:mojolicious:7.90
-
cpe:2.3:a:mojolicious:mojolicious:7.91
-
cpe:2.3:a:mojolicious:mojolicious:7.92
-
cpe:2.3:a:mojolicious:mojolicious:7.93
-
cpe:2.3:a:mojolicious:mojolicious:7.94
-
cpe:2.3:a:mojolicious:mojolicious:8.0
-
cpe:2.3:a:mojolicious:mojolicious:8.01
-
cpe:2.3:a:mojolicious:mojolicious:8.02
-
cpe:2.3:a:mojolicious:mojolicious:8.03
-
cpe:2.3:a:mojolicious:mojolicious:8.04
-
cpe:2.3:a:mojolicious:mojolicious:8.05
-
cpe:2.3:a:mojolicious:mojolicious:8.06
-
cpe:2.3:a:mojolicious:mojolicious:8.07
-
cpe:2.3:a:mojolicious:mojolicious:8.08
-
cpe:2.3:a:mojolicious:mojolicious:8.09
-
cpe:2.3:a:mojolicious:mojolicious:8.10
-
cpe:2.3:a:mojolicious:mojolicious:8.11
-
cpe:2.3:a:mojolicious:mojolicious:8.12
-
cpe:2.3:a:mojolicious:mojolicious:8.13
-
cpe:2.3:a:mojolicious:mojolicious:8.14
-
cpe:2.3:a:mojolicious:mojolicious:8.15
-
cpe:2.3:a:mojolicious:mojolicious:8.16
-
cpe:2.3:a:mojolicious:mojolicious:8.17
-
cpe:2.3:a:mojolicious:mojolicious:8.18
-
cpe:2.3:a:mojolicious:mojolicious:8.19
-
cpe:2.3:a:mojolicious:mojolicious:8.20
-
cpe:2.3:a:mojolicious:mojolicious:8.21
-
cpe:2.3:a:mojolicious:mojolicious:8.22
-
cpe:2.3:a:mojolicious:mojolicious:8.23
-
cpe:2.3:a:mojolicious:mojolicious:8.24
-
cpe:2.3:a:mojolicious:mojolicious:8.25
-
cpe:2.3:a:mojolicious:mojolicious:8.26
-
cpe:2.3:a:mojolicious:mojolicious:8.27
-
cpe:2.3:a:mojolicious:mojolicious:8.28
-
cpe:2.3:a:mojolicious:mojolicious:8.29
-
cpe:2.3:a:mojolicious:mojolicious:8.30
-
cpe:2.3:a:mojolicious:mojolicious:8.31
-
cpe:2.3:a:mojolicious:mojolicious:8.32
-
cpe:2.3:a:mojolicious:mojolicious:8.33
-
cpe:2.3:a:mojolicious:mojolicious:8.35
-
cpe:2.3:a:mojolicious:mojolicious:8.36
-
cpe:2.3:a:mojolicious:mojolicious:8.37
-
cpe:2.3:a:mojolicious:mojolicious:8.38
-
cpe:2.3:a:mojolicious:mojolicious:8.39
-
cpe:2.3:a:mojolicious:mojolicious:8.40
-
cpe:2.3:a:mojolicious:mojolicious:8.41
-
cpe:2.3:a:mojolicious:mojolicious:8.42
-
cpe:2.3:a:mojolicious:mojolicious:8.50
-
cpe:2.3:a:mojolicious:mojolicious:8.51
-
cpe:2.3:a:mojolicious:mojolicious:8.52
-
cpe:2.3:a:mojolicious:mojolicious:8.53
-
cpe:2.3:a:mojolicious:mojolicious:8.54
-
cpe:2.3:a:mojolicious:mojolicious:8.55
-
cpe:2.3:a:mojolicious:mojolicious:8.56
-
cpe:2.3:a:mojolicious:mojolicious:8.57
-
cpe:2.3:a:mojolicious:mojolicious:8.58
-
cpe:2.3:a:mojolicious:mojolicious:8.59
-
cpe:2.3:a:mojolicious:mojolicious:8.60
-
cpe:2.3:a:mojolicious:mojolicious:8.61
-
cpe:2.3:a:mojolicious:mojolicious:8.62
-
cpe:2.3:a:mojolicious:mojolicious:8.63
-
cpe:2.3:a:mojolicious:mojolicious:8.64
-
cpe:2.3:a:mojolicious:mojolicious:8.65
-
cpe:2.3:a:mojolicious:mojolicious:8.66
-
cpe:2.3:a:mojolicious:mojolicious:8.67
-
cpe:2.3:a:mojolicious:mojolicious:8.68
-
cpe:2.3:a:mojolicious:mojolicious:8.69
-
cpe:2.3:a:mojolicious:mojolicious:8.70
-
cpe:2.3:a:mojolicious:mojolicious:8.71
-
cpe:2.3:a:mojolicious:mojolicious:8.72
-
cpe:2.3:a:mojolicious:mojolicious:8.73
-
cpe:2.3:a:mojolicious:mojolicious:9.0
-
cpe:2.3:a:mojolicious:mojolicious:9.01
-
cpe:2.3:a:mojolicious:mojolicious:9.02
-
cpe:2.3:a:mojolicious:mojolicious:9.03
-
cpe:2.3:a:mojolicious:mojolicious:9.07
-
cpe:2.3:a:mojolicious:mojolicious:9.08
-
cpe:2.3:a:mojolicious:mojolicious:9.09
-
cpe:2.3:a:mojolicious:mojolicious:9.10
-
cpe:2.3:a:mojolicious:mojolicious:9.11
-
cpe:2.3:a:mojolicious:mojolicious:9.12
-
cpe:2.3:a:mojolicious:mojolicious:9.13
-
cpe:2.3:a:mojolicious:mojolicious:9.14
-
cpe:2.3:a:mojolicious:mojolicious:9.15
-
cpe:2.3:a:mojolicious:mojolicious:9.16
-
cpe:2.3:a:mojolicious:mojolicious:9.17
-
cpe:2.3:a:mojolicious:mojolicious:9.18
-
cpe:2.3:a:mojolicious:mojolicious:9.19
-
cpe:2.3:a:mojolicious:mojolicious:9.20
-
cpe:2.3:a:mojolicious:mojolicious:9.21
-
cpe:2.3:a:mojolicious:mojolicious:9.22
-
cpe:2.3:a:mojolicious:mojolicious:9.23
-
cpe:2.3:a:mojolicious:mojolicious:9.24
-
cpe:2.3:a:mojolicious:mojolicious:9.25
-
cpe:2.3:a:mojolicious:mojolicious:9.26
-
cpe:2.3:a:mojolicious:mojolicious:9.27
-
cpe:2.3:a:mojolicious:mojolicious:9.28
-
cpe:2.3:a:mojolicious:mojolicious:9.29
-
cpe:2.3:a:mojolicious:mojolicious:9.30
-
cpe:2.3:a:mojolicious:mojolicious:9.31
-
cpe:2.3:a:mojolicious:mojolicious:9.32
-
cpe:2.3:a:mojolicious:mojolicious:9.33
-
cpe:2.3:a:mojolicious:mojolicious:9.34
-
cpe:2.3:a:mojolicious:mojolicious:9.35
-
cpe:2.3:a:mojolicious:mojolicious:9.36
-
cpe:2.3:a:mojolicious:mojolicious:9.37
-
cpe:2.3:a:mojolicious:mojolicious:9.38
-
cpe:2.3:a:mojolicious:mojolicious:9.39
-
cpe:2.3:a:mojolicious:mojolicious:9.40