{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2014-125112", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2025-07-08T15:24:38.840Z", "datePublished": "2026-03-26T02:04:10.267Z", "dateUpdated": "2026-03-26T14:53:30.210Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Plack-Middleware-Session", "product": "Plack::Middleware::Session::Cookie", "repo": "https://github.com/plack/Plack-Middleware-Session", "vendor": "MIYAGAWA", "versions": [{"lessThanOrEqual": "0.21", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "mala (@bulkneets)"}], "descriptions": [{"lang": "en", "value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-565", "description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-26T02:04:10.267Z"}, "references": [{"tags": ["technical-description"], "url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"}, {"tags": ["release-notes"], "url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"}], "solutions": [{"lang": "en", "value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Vulnerability disclosed by MIYAGAWA."}, {"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Version 0.22 released that warns when the \"secret\" option is not set."}, {"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."}, {"lang": "en", "time": "2014-09-05T00:00:00.000Z", "value": "Version 0.24 released. Same as 0.23 but not a trial release."}, {"lang": "en", "time": "2016-02-03T00:00:00.000Z", "value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."}, {"lang": "en", "time": "2019-01-26T00:00:00.000Z", "value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"}, {"lang": "en", "time": "2019-03-09T00:00:00.000Z", "value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"}, {"lang": "en", "time": "2025-07-08T00:00:00.000Z", "value": "CVE-2014-125112 assigned by CPANSec."}], "title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution", "workarounds": [{"lang": "en", "value": "Set the \"secret\" option."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-26T04:46:57.862Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:52:33.130571Z", "id": "CVE-2014-125112", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:53:30.210Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-26T04:46:57.862Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2014-125112", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T14:52:33.130571Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:52:42.675Z"}}], "cna": {"title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "mala (@bulkneets)"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"repo": "https://github.com/plack/Plack-Middleware-Session", "vendor": "MIYAGAWA", "product": "Plack::Middleware::Session::Cookie", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.21"}], "packageName": "Plack-Middleware-Session", "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Vulnerability disclosed by MIYAGAWA."}, {"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Version 0.22 released that warns when the \"secret\" option is not set."}, {"lang": "en", "time": "2014-08-11T00:00:00.000Z", "value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."}, {"lang": "en", "time": "2014-09-05T00:00:00.000Z", "value": "Version 0.24 released. Same as 0.23 but not a trial release."}, {"lang": "en", "time": "2016-02-03T00:00:00.000Z", "value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."}, {"lang": "en", "time": "2019-01-26T00:00:00.000Z", "value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"}, {"lang": "en", "time": "2019-03-09T00:00:00.000Z", "value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"}, {"lang": "en", "time": "2025-07-08T00:00:00.000Z", "value": "CVE-2014-125112 assigned by CPANSec."}], "solutions": [{"lang": "en", "value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."}], "references": [{"url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d", "tags": ["technical-description"]}, {"url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes", "tags": ["release-notes"]}], "workarounds": [{"lang": "en", "value": "Set the \"secret\" option."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-565", "description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-26T02:04:10.267Z"}}}, "cveMetadata": {"cveId": "CVE-2014-125112", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:53:30.210Z", "dateReserved": "2025-07-08T15:24:38.840Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-03-26T02:04:10.267Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:miyagawa:plack\\:\\:middleware\\:\\:session\\:\\:cookie:*:*:*:*:*:perl:*:*", "matchCriteriaId": "B0973619-DAA2-4B3C-BF1E-5C1EDD60F202", "versionEndExcluding": "0.23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."}, {"lang": "es", "value": "Las versiones de Plack::Middleware::Session::Cookie hasta la 0.21 para Perl permiten la ejecuci\u00f3n remota de c\u00f3digo.\n\nLas versiones de Plack::Middleware::Session::Cookie hasta la 0.21 tienen una vulnerabilidad de seguridad que permite a un atacante ejecutar c\u00f3digo arbitrario en el servidor durante la deserializaci\u00f3n de los datos de la cookie, cuando no se utiliza ning\u00fan secreto para firmar la cookie."}], "id": "CVE-2014-125112", "lastModified": "2026-05-06T14:50:24.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T03:16:00.423", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Release Notes"], "url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-565"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{"bugzilla": {"description": "Plack::Middleware::Session::Cookie: perl: Plack::Middleware::Session::Cookie: Remote code execution via deserialization of unsigned cookie data", "id": "2451591", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451591"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-565", "details": ["Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.", "A vulnerability was identified in Plack::Middleware::Session::Cookie when session data is deserialized from cookies using Storable::thaw. If the secret parameter is not configured or is compromised, an attacker can craft a malicious session cookie containing serialized objects. Because Storable::thaw processes untrusted data without restrictions, this may lead to execution of arbitrary code during object deserialization."], "name": "CVE-2014-125112", "package_state": [{"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "perl", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-03-26T02:04:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-125112\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-125112\nhttps://gist.github.com/miyagawa/2b8764af908a0dacd43d\nhttps://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"], "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.21]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Plack::Middleware::Session::Cookie", "source": "cna", "vendor": "MIYAGAWA"}, "product": "plack::middleware::session::cookie", "vendor": "miyagawa"}], "analysis": {"en": {"generated_at": "2026-03-26T16:51:43.696747+00:00", "value": {"mitigation_remediation": ["Apply vendor patch: upgrade Plack::Middleware::Session to 0.23 or later and set the \"secret\" option.", "If upgrade is not immediately possible, configure the \"secret\" option to sign cookies and block unsafe deserialization.", "Continue monitoring for exploitation attempts and apply future updates promptly."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The Perl module MIYAGAWA::Plack::Middleware::Session::Cookie, versions 0.21 and earlier. End users running these versions on any platform that accepts HTTP cookies are vulnerable. The official fix is to upgrade to version\u202f0.23 or later and configure the required 'secret' parameter; alternatively, simply setting a secret protects existing installations.", "description_and_impact": "Plack::Middleware::Session::Cookie until version\u202f0.21 deserializes cookie data without verifying a secret. This flaw permits an attacker to embed malicious code in a cookie that, when processed by a legitimate application, causes the server to execute that code. The result is remote code execution, granting the attacker full control over the affected host.", "risk_and_exploitability": "With a CVSS base score of 9.8 the flaw is considered critical. EPSS indicates the exploitation likelihood is currently below 1\u202f%, and the vulnerability is not listed in CISA's KEV catalog. Nevertheless, the remote nature of the attack and the ability to trigger code execution via a crafted cookie make the risk high for exposed web applications. Attackers can deliver the cookie in HTTP requests to any vulnerable endpoint, assuming the application uses the module for session handling."}}}}, "created": "2026-03-26T11:30:46.269850+00:00", "updated": "2026-03-27T09:28:58.074982+00:00", "vendors": ["miyagawa", "miyagawa$PRODUCT$plack::middleware::session::cookie"]}