CVE-2014-125112 (GCVE-0-2014-125112)

Vulnerability from cvelistv5 – Published: 2026-03-26 02:04 – Updated: 2026-03-26 14:53
VLAI?
Title
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution
Summary
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Assigner
References
Impacted products
Vendor Product Version
MIYAGAWA Plack::Middleware::Session::Cookie Affected: 0 , ≤ 0.21 (custom)
Create a notification for this product.
Credits
mala (@bulkneets)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-26T04:46:57.862Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2014-125112",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T14:52:33.130571Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T14:53:30.210Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Plack-Middleware-Session",
          "product": "Plack::Middleware::Session::Cookie",
          "repo": "https://github.com/plack/Plack-Middleware-Session",
          "vendor": "MIYAGAWA",
          "versions": [
            {
              "lessThanOrEqual": "0.21",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "mala (@bulkneets)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586 Object Injection"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-565",
              "description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T02:04:10.267Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2014-08-11T00:00:00.000Z",
          "value": "Vulnerability disclosed by MIYAGAWA."
        },
        {
          "lang": "en",
          "time": "2014-08-11T00:00:00.000Z",
          "value": "Version 0.22 released that warns when the \"secret\" option is not set."
        },
        {
          "lang": "en",
          "time": "2014-08-11T00:00:00.000Z",
          "value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."
        },
        {
          "lang": "en",
          "time": "2014-09-05T00:00:00.000Z",
          "value": "Version 0.24 released. Same as 0.23 but not a trial release."
        },
        {
          "lang": "en",
          "time": "2016-02-03T00:00:00.000Z",
          "value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."
        },
        {
          "lang": "en",
          "time": "2019-01-26T00:00:00.000Z",
          "value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"
        },
        {
          "lang": "en",
          "time": "2019-03-09T00:00:00.000Z",
          "value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"
        },
        {
          "lang": "en",
          "time": "2025-07-08T00:00:00.000Z",
          "value": "CVE-2014-125112 assigned by CPANSec."
        }
      ],
      "title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution",
      "workarounds": [
        {
          "lang": "en",
          "value": "Set the \"secret\" option."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2014-125112",
    "datePublished": "2026-03-26T02:04:10.267Z",
    "dateReserved": "2025-07-08T15:24:38.840Z",
    "dateUpdated": "2026-03-26T14:53:30.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-125112\",\"sourceIdentifier\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"published\":\"2026-03-26T03:16:00.423\",\"lastModified\":\"2026-03-26T15:16:26.460\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\\n\\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.\"},{\"lang\":\"es\",\"value\":\"Las versiones de Plack::Middleware::Session::Cookie hasta la 0.21 para Perl permiten la ejecuci\u00f3n remota de c\u00f3digo.\\n\\nLas versiones de Plack::Middleware::Session::Cookie hasta la 0.21 tienen una vulnerabilidad de seguridad que permite a un atacante ejecutar c\u00f3digo arbitrario en el servidor durante la deserializaci\u00f3n de los datos de la cookie, cuando no se utiliza ning\u00fan secreto para firmar la cookie.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-565\"}]}],\"references\":[{\"url\":\"https://gist.github.com/miyagawa/2b8764af908a0dacd43d\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/26/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/26/2\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-26T04:46:57.862Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2014-125112\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T14:52:33.130571Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T14:52:42.675Z\"}}], \"cna\": {\"title\": \"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"mala (@bulkneets)\"}], \"impacts\": [{\"capecId\": \"CAPEC-586\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-586 Object Injection\"}]}], \"affected\": [{\"repo\": \"https://github.com/plack/Plack-Middleware-Session\", \"vendor\": \"MIYAGAWA\", \"product\": \"Plack::Middleware::Session::Cookie\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"0.21\"}], \"packageName\": \"Plack-Middleware-Session\", \"collectionURL\": \"https://cpan.org/modules\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2014-08-11T00:00:00.000Z\", \"value\": \"Vulnerability disclosed by MIYAGAWA.\"}, {\"lang\": \"en\", \"time\": \"2014-08-11T00:00:00.000Z\", \"value\": \"Version 0.22 released that warns when the \\\"secret\\\" option is not set.\"}, {\"lang\": \"en\", \"time\": \"2014-08-11T00:00:00.000Z\", \"value\": \"Version 0.23-TRIAL released that requires the \\\"secret\\\" option to be set.\"}, {\"lang\": \"en\", \"time\": \"2014-09-05T00:00:00.000Z\", \"value\": \"Version 0.24 released. Same as 0.23 but not a trial release.\"}, {\"lang\": \"en\", \"time\": \"2016-02-03T00:00:00.000Z\", \"value\": \"Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \\\"secret\\\" option.\"}, {\"lang\": \"en\", \"time\": \"2019-01-26T00:00:00.000Z\", \"value\": \"CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB\"}, {\"lang\": \"en\", \"time\": \"2019-03-09T00:00:00.000Z\", \"value\": \"CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB\"}, {\"lang\": \"en\", \"time\": \"2025-07-08T00:00:00.000Z\", \"value\": \"CVE-2014-125112 assigned by CPANSec.\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \\\"secret\\\" option.\"}], \"references\": [{\"url\": \"https://gist.github.com/miyagawa/2b8764af908a0dacd43d\", \"tags\": [\"technical-description\"]}, {\"url\": \"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes\", \"tags\": [\"release-notes\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Set the \\\"secret\\\" option.\"}], \"x_generator\": {\"engine\": \"cpansec-cna-tool 0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\\n\\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-565\", \"description\": \"CWE-565 Reliance on Cookies without Validation and Integrity Checking\"}]}], \"providerMetadata\": {\"orgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"shortName\": \"CPANSec\", \"dateUpdated\": \"2026-03-26T02:04:10.267Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2014-125112\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T14:53:30.210Z\", \"dateReserved\": \"2025-07-08T15:24:38.840Z\", \"assignerOrgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"datePublished\": \"2026-03-26T02:04:10.267Z\", \"assignerShortName\": \"CPANSec\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.