CVE Vulnerabilities

CVE-2024-58134

Use of Hard-coded Cryptographic Key

Published: May 03, 2025 | Modified: May 03, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the applications class name, as a HMAC session secret by default.

These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

Weakness

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Potential Mitigations

References