CRITICAL🇵🇱 Wersja polska

CVE-2014-125112

CVSS 9.8v3.1pub. 2026-03-26upd. 2026-05-06

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.

🤖 AI Analysis
How it works

The vulnerability results from the lack of integrity verification of data stored in cookies on the server side — when a secret for signing cookies is not configured. An attacker can provide crafted, malicious data in a cookie, which during deserialization on the server side leads to arbitrary code execution. This is a classic unsafe deserialization attack (CWE-565), where user-controlled data is processed without proper validation.

Impact

A remote attacker, without authentication, can execute arbitrary code on the server, which in practice means complete takeover of the application and potentially the entire system, including gaining access to data, modifying content, or installing malicious software.

Mitigation & patch

The Plack-Middleware-Session package should be updated to version 0.23 or newer (available on CPAN). According to vendor references, version 0.23-TRIAL addresses this vulnerability. Additionally, a secret for signing cookies should be configured, which prevents attackers from manipulating session data.

Who is affected

Plack::Middleware::Session::Cookie in versions up to and including 0.21 for Perl — affects deployments where no secret for signing cookies is configured.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Miyagawa Plack\

    APP
    Miyagawa
    \
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-7381CRITICAL9.1PL ✓ten sam produkt

Plack::Middleware::XSendfile — kontrola ścieżki pliku przez klienta (path rewriting)

CVE-2026-40560HIGH7.5ten sam vendor

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman...