CVE-2014-125112 (GCVE-0-2014-125112)
Vulnerability from cvelistv5
Published
2026-03-26 02:04
Modified
2026-03-26 14:53
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Summary
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
References
Impacted products
Vendor Product Version
MIYAGAWA Plack::Middleware::Session::Cookie Version: 0   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-26T04:46:57.862Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2014-125112",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T14:52:33.130571Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T14:53:30.210Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Plack-Middleware-Session",
          "product": "Plack::Middleware::Session::Cookie",
          "repo": "https://github.com/plack/Plack-Middleware-Session",
          "vendor": "MIYAGAWA",
          "versions": [
            {
              "lessThanOrEqual": "0.21",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "mala (@bulkneets)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586 Object Injection"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-565",
              "description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T02:04:10.267Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2014-08-11T00:00:00.000Z",
          "value": "Vulnerability disclosed by MIYAGAWA."
        },
        {
          "lang": "en",
          "time": "2014-08-11T00:00:00.000Z",
          "value": "Version 0.22 released that warns when the \"secret\" option is not set."
        },
        {
          "lang": "en",
          "time": "2014-08-11T00:00:00.000Z",
          "value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."
        },
        {
          "lang": "en",
          "time": "2014-09-05T00:00:00.000Z",
          "value": "Version 0.24 released. Same as 0.23 but not a trial release."
        },
        {
          "lang": "en",
          "time": "2016-02-03T00:00:00.000Z",
          "value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."
        },
        {
          "lang": "en",
          "time": "2019-01-26T00:00:00.000Z",
          "value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"
        },
        {
          "lang": "en",
          "time": "2019-03-09T00:00:00.000Z",
          "value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"
        },
        {
          "lang": "en",
          "time": "2025-07-08T00:00:00.000Z",
          "value": "CVE-2014-125112 assigned by CPANSec."
        }
      ],
      "title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution",
      "workarounds": [
        {
          "lang": "en",
          "value": "Set the \"secret\" option."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2014-125112",
    "datePublished": "2026-03-26T02:04:10.267Z",
    "dateReserved": "2025-07-08T15:24:38.840Z",
    "dateUpdated": "2026-03-26T14:53:30.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/26/2\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-26T04:46:57.862Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2014-125112\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T14:52:33.130571Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T14:52:42.675Z\"}}], \"cna\": {\"title\": \"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"mala (@bulkneets)\"}], \"impacts\": [{\"capecId\": \"CAPEC-586\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-586 Object Injection\"}]}], \"affected\": [{\"repo\": \"https://github.com/plack/Plack-Middleware-Session\", \"vendor\": \"MIYAGAWA\", \"product\": \"Plack::Middleware::Session::Cookie\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"0.21\"}], \"packageName\": \"Plack-Middleware-Session\", \"collectionURL\": \"https://cpan.org/modules\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2014-08-11T00:00:00.000Z\", \"value\": \"Vulnerability disclosed by MIYAGAWA.\"}, {\"lang\": \"en\", \"time\": \"2014-08-11T00:00:00.000Z\", \"value\": \"Version 0.22 released that warns when the \\\"secret\\\" option is not set.\"}, {\"lang\": \"en\", \"time\": \"2014-08-11T00:00:00.000Z\", \"value\": \"Version 0.23-TRIAL released that requires the \\\"secret\\\" option to be set.\"}, {\"lang\": \"en\", \"time\": \"2014-09-05T00:00:00.000Z\", \"value\": \"Version 0.24 released. Same as 0.23 but not a trial release.\"}, {\"lang\": \"en\", \"time\": \"2016-02-03T00:00:00.000Z\", \"value\": \"Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \\\"secret\\\" option.\"}, {\"lang\": \"en\", \"time\": \"2019-01-26T00:00:00.000Z\", \"value\": \"CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB\"}, {\"lang\": \"en\", \"time\": \"2019-03-09T00:00:00.000Z\", \"value\": \"CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB\"}, {\"lang\": \"en\", \"time\": \"2025-07-08T00:00:00.000Z\", \"value\": \"CVE-2014-125112 assigned by CPANSec.\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \\\"secret\\\" option.\"}], \"references\": [{\"url\": \"https://gist.github.com/miyagawa/2b8764af908a0dacd43d\", \"tags\": [\"technical-description\"]}, {\"url\": \"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes\", \"tags\": [\"release-notes\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Set the \\\"secret\\\" option.\"}], \"x_generator\": {\"engine\": \"cpansec-cna-tool 0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\\n\\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-565\", \"description\": \"CWE-565 Reliance on Cookies without Validation and Integrity Checking\"}]}], \"providerMetadata\": {\"orgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"shortName\": \"CPANSec\", \"dateUpdated\": \"2026-03-26T02:04:10.267Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2014-125112\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T14:53:30.210Z\", \"dateReserved\": \"2025-07-08T15:24:38.840Z\", \"assignerOrgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"datePublished\": \"2026-03-26T02:04:10.267Z\", \"assignerShortName\": \"CPANSec\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.