Search criteria
5 vulnerabilities by MIYAGAWA
CVE-2026-7381 (GCVE-0-2026-7381)
Vulnerability from cvelistv5 – Published: 2026-04-29 22:13 – Updated: 2026-04-30 13:18
VLAI?
Title
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting
Summary
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.
Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.
A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.
Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.
This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.
Severity ?
9.1 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/MIYAGAWA/Plack-1.005… | release-notes |
| https://metacpan.org/release/MIYAGAWA/Plack-1.005… | technical-description |
| https://nvd.nist.gov/vuln/detail/CVE-2025-61780 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MIYAGAWA | Plack::Middleware::XSendfile |
Affected:
0 , ≤ 1.0053
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T13:18:16.234435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T13:18:45.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack",
"product": "Plack::Middleware::XSendfile",
"programFiles": [
"lib/Plack/Middleware::XSendfile.pm"
],
"repo": "https://github.com/plack/Plack",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThanOrEqual": "1.0053",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CPANSec"
}
],
"descriptions": [
{
"lang": "en",
"value": "Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.\n\nPlack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.\n\nA malicious client can set the X-Sendfile-Type header to \"X-Accel-Redirect\" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.\n\nSince 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.\n\nThis is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the \"X-Accel-Redirect\" type."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-441",
"description": "CWE-441 Unintended Proxy or Intermediary",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T22:13:35.351Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes"
},
{
"tags": [
"technical-description"
],
"url": "https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE"
},
{
"tags": [
"related"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61780"
}
],
"solutions": [
{
"lang": "en",
"value": "Users are encouraged to set the appropriate header directly in their applications, or write their own middleware layer that does not allow configuration to be passed via HTTP request headers."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-10T00:00:00.000Z",
"value": "Issue for Rack::Sendfile reported"
},
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Issue reported to maintainer of Plack"
},
{
"lang": "en",
"time": "2025-04-28T00:00:00.000Z",
"value": "Plack 1.0052 released with improved security documentation in Plack::Middleware::XSendfile"
},
{
"lang": "en",
"time": "2025-04-29T00:00:00.000Z",
"value": "Plack 1.0053 released that deprecates Plack::Middleware::XSendfile"
}
],
"title": "Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting",
"workarounds": [
{
"lang": "en",
"value": "Users can configure the X-Sendfile-Type in the middleware constructor, and the reverse proxy to unset the X-Sendfile-Type header and (on nginx) the X-Accel-Mapping request header."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-7381",
"datePublished": "2026-04-29T22:13:35.351Z",
"dateReserved": "2026-04-29T07:43:55.519Z",
"dateUpdated": "2026-04-30T13:18:45.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40560 (GCVE-0-2026-40560)
Vulnerability from cvelistv5 – Published: 2026-04-28 23:46 – Updated: 2026-04-29 19:06
VLAI?
Title
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence
Summary
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.
Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.
An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Severity ?
7.5 (High)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
3 references
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-29T03:04:48.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-40560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T13:30:17.148319Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T13:30:33.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Starman",
"product": "Starman",
"programFiles": [
"lib/Starman/Server.pm"
],
"programRoutines": [
{
"name": "Starman::Server::_prepare_env"
}
],
"repo": "https://github.com/miyagawa/Starman",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThan": "0.4018",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CPANSec"
}
],
"descriptions": [
{
"lang": "en",
"value": "Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.\n\nStarman incorrectly prioritizes \"Content-Length\" over \"Transfer-Encoding: chunked\" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.\n\nAn attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:06:02.932Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes"
},
{
"url": "https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.4018"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-12T00:00:00.000Z",
"value": "Issue identified by CPANSec"
},
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Issue reported to software maintainer"
},
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Fix committed to public Github repository"
},
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Updated version uploaded to CPAN"
}
],
"title": "Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-40560",
"datePublished": "2026-04-28T23:46:37.780Z",
"dateReserved": "2026-04-14T11:35:53.644Z",
"dateUpdated": "2026-04-29T19:06:02.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2014-125112 (GCVE-0-2014-125112)
Vulnerability from cvelistv5 – Published: 2026-03-26 02:04 – Updated: 2026-03-26 14:53
VLAI?
Title
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution
Summary
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Severity ?
9.8 (Critical)
CWE
- CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://gist.github.com/miyagawa/2b8764af908a0dacd43d | technical-description |
| https://metacpan.org/release/MIYAGAWA/Plack-Middl… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MIYAGAWA | Plack::Middleware::Session::Cookie |
Affected:
0 , ≤ 0.21
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-26T04:46:57.862Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2014-125112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T14:52:33.130571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:53:30.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack-Middleware-Session",
"product": "Plack::Middleware::Session::Cookie",
"repo": "https://github.com/plack/Plack-Middleware-Session",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThanOrEqual": "0.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "mala (@bulkneets)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-565",
"description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T02:04:10.267Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2014-08-11T00:00:00.000Z",
"value": "Vulnerability disclosed by MIYAGAWA."
},
{
"lang": "en",
"time": "2014-08-11T00:00:00.000Z",
"value": "Version 0.22 released that warns when the \"secret\" option is not set."
},
{
"lang": "en",
"time": "2014-08-11T00:00:00.000Z",
"value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."
},
{
"lang": "en",
"time": "2014-09-05T00:00:00.000Z",
"value": "Version 0.24 released. Same as 0.23 but not a trial release."
},
{
"lang": "en",
"time": "2016-02-03T00:00:00.000Z",
"value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."
},
{
"lang": "en",
"time": "2019-01-26T00:00:00.000Z",
"value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"
},
{
"lang": "en",
"time": "2019-03-09T00:00:00.000Z",
"value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"
},
{
"lang": "en",
"time": "2025-07-08T00:00:00.000Z",
"value": "CVE-2014-125112 assigned by CPANSec."
}
],
"title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution",
"workarounds": [
{
"lang": "en",
"value": "Set the \"secret\" option."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2014-125112",
"datePublished": "2026-03-26T02:04:10.267Z",
"dateReserved": "2025-07-08T15:24:38.840Z",
"dateUpdated": "2026-03-26T14:53:30.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-10031 (GCVE-0-2013-10031)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:12 – Updated: 2025-12-11 14:36
VLAI?
Title
Plack::Middleware::Session versions before 0.17 for Perl may be vulnerable to HMAC comparison timing attacks
Summary
Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks
Severity ?
7.5 (High)
CWE
- CWE-1254 - Incorrect Comparison Logic Granularity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/plack/Plack-Middleware-Session… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MIYAGAWA | Plack::Middleware::Session |
Affected:
0.01 , < 0.17
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2013-10031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T19:53:02.755963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T14:36:31.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack-Middleware-Session",
"product": "Plack::Middleware::Session",
"programFiles": [
"lib/Plack/Middleware/Session/Cookie.pm"
],
"programRoutines": [
{
"name": "get_session"
}
],
"repo": "https://github.com/plack/Plack-Middleware-Session.git",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThan": "0.17",
"status": "affected",
"version": "0.01",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks\u003cbr\u003e"
}
],
"value": "Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks"
}
],
"impacts": [
{
"capecId": "CAPEC-26",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-26 Leveraging Race Conditions"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1254",
"description": "CWE-1254 Incorrect Comparison Logic Granularity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:12:36.372Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/plack/Plack-Middleware-Session/commit/b7f0252269ba1bb812b5dc02303754fe94c808e4"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to version 0.17 or higher"
}
],
"value": "Upgrade to version 0.17 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Plack::Middleware::Session versions before 0.17 for Perl may be vulnerable to HMAC comparison timing attacks",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2013-10031",
"datePublished": "2025-12-09T00:12:36.372Z",
"dateReserved": "2025-07-10T09:30:45.910Z",
"dateUpdated": "2025-12-11T14:36:31.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40923 (GCVE-0-2025-40923)
Vulnerability from cvelistv5 – Published: 2025-07-16 13:05 – Updated: 2025-11-04 21:10
VLAI?
Title
Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely
Summary
Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely.
The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Predicable session ids could allow an attacker to gain access to systems.
Severity ?
7.3 (High)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MIYAGAWA | Plack::Middleware::Session |
Affected:
0.01 , < 0.35
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-40923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T20:47:49.157521Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T20:48:17.516Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:10:20.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/16/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack-Middleware-Session",
"product": "Plack::Middleware::Session",
"programFiles": [
"lib/Plack/Session/State.pm"
],
"repo": "https://github.com/plack/Plack-Middleware-Session",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThan": "0.35",
"status": "affected",
"version": "0.01",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003ePlack-Middleware-Session before version 0.35 for Perl generates session ids insecurely.\u003c/div\u003e\u003cdiv\u003eThe default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\u003c/div\u003e\u003cdiv\u003ePredicable session ids could allow an attacker to gain access to systems.\u003c/div\u003e"
}
],
"value": "Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T13:05:03.782Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.34/source/lib/Plack/Session/State.pm#L22"
},
{
"url": "https://github.com/plack/Plack-Middleware-Session/pull/52"
},
{
"tags": [
"patch"
],
"url": "https://github.com/plack/Plack-Middleware-Session/commit/1fbfbb355e34e7f4b3906f66cf958cedadd2b9be.patch"
},
{
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eUsers are advised to upgrade to Plack-Middleware-Session v0.35 or later.\u003c/div\u003e"
}
],
"value": "Users are advised to upgrade to Plack-Middleware-Session v0.35 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eUsers who are unable to upgrade are advised to change the sid_generator attribute of Plack::Session::State to a function that returns a securely generated session id based on a secure source of entropy from the system.\u003c/div\u003e"
}
],
"value": "Users who are unable to upgrade are advised to change the sid_generator attribute of Plack::Session::State to a function that returns a securely generated session id based on a secure source of entropy from the system."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-40923",
"datePublished": "2025-07-16T13:05:03.782Z",
"dateReserved": "2025-04-16T09:05:34.362Z",
"dateUpdated": "2025-11-04T21:10:20.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}