{"api_version":"1","generated_at":"2026-05-13T12:03:27+00:00","cve":"CVE-2014-125112","urls":{"html":"https://cve.report/CVE-2014-125112","api":"https://cve.report/api/cve/CVE-2014-125112.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2014-125112","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2014-125112"},"summary":{"title":"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution","description":"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.","state":"PUBLISHED","assigner":"CPANSec","published_at":"2026-03-26 03:16:00","updated_at":"2026-05-06 14:50:24"},"problem_types":["CWE-565","CWE-565 CWE-565 Reliance on Cookies without Validation and Integrity Checking"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/03/26/2","name":"http://www.openwall.com/lists/oss-security/2026/03/26/2","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://gist.github.com/miyagawa/2b8764af908a0dacd43d","name":"https://gist.github.com/miyagawa/2b8764af908a0dacd43d","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes","name":"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2014-125112","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-125112","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"MIYAGAWA","product":"Plack::Middleware::Session::Cookie","version":"affected 0.21 custom","platforms":[]}],"timeline":[{"source":"CNA","time":"2014-08-11T00:00:00.000Z","lang":"en","value":"Vulnerability disclosed by MIYAGAWA."},{"source":"CNA","time":"2014-08-11T00:00:00.000Z","lang":"en","value":"Version 0.22 released that warns when the \"secret\" option is not set."},{"source":"CNA","time":"2014-08-11T00:00:00.000Z","lang":"en","value":"Version 0.23-TRIAL released that requires the \"secret\" option to be set."},{"source":"CNA","time":"2014-09-05T00:00:00.000Z","lang":"en","value":"Version 0.24 released. Same as 0.23 but not a trial release."},{"source":"CNA","time":"2016-02-03T00:00:00.000Z","lang":"en","value":"Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."},{"source":"CNA","time":"2019-01-26T00:00:00.000Z","lang":"en","value":"CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"},{"source":"CNA","time":"2019-03-09T00:00:00.000Z","lang":"en","value":"CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"},{"source":"CNA","time":"2025-07-08T00:00:00.000Z","lang":"en","value":"CVE-2014-125112 assigned by CPANSec."}],"solutions":[{"source":"CNA","title":"","value":"Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option.","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"Set the \"secret\" option.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"mala (@bulkneets)","lang":"en"}],"nvd_cpes":[{"cve_year":"2014","cve_id":"125112","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"miyagawa","cpe5":"plack\\","cpe6":"\\","cpe7":"middleware\\","cpe8":"\\","cpe9":"session\\","cpe10":"\\","cpe11":"cookie","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-03-26T04:46:57.862Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/03/26/2"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2014-125112","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-03-26T14:52:33.130571Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-26T14:53:30.210Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Plack-Middleware-Session","product":"Plack::Middleware::Session::Cookie","repo":"https://github.com/plack/Plack-Middleware-Session","vendor":"MIYAGAWA","versions":[{"lessThanOrEqual":"0.21","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"mala (@bulkneets)"}],"descriptions":[{"lang":"en","value":"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."}],"impacts":[{"capecId":"CAPEC-586","descriptions":[{"lang":"en","value":"CAPEC-586 Object Injection"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-565","description":"CWE-565 Reliance on Cookies without Validation and Integrity Checking","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-26T02:04:10.267Z","orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec"},"references":[{"tags":["technical-description"],"url":"https://gist.github.com/miyagawa/2b8764af908a0dacd43d"},{"tags":["release-notes"],"url":"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"}],"solutions":[{"lang":"en","value":"Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."}],"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2014-08-11T00:00:00.000Z","value":"Vulnerability disclosed by MIYAGAWA."},{"lang":"en","time":"2014-08-11T00:00:00.000Z","value":"Version 0.22 released that warns when the \"secret\" option is not set."},{"lang":"en","time":"2014-08-11T00:00:00.000Z","value":"Version 0.23-TRIAL released that requires the \"secret\" option to be set."},{"lang":"en","time":"2014-09-05T00:00:00.000Z","value":"Version 0.24 released. Same as 0.23 but not a trial release."},{"lang":"en","time":"2016-02-03T00:00:00.000Z","value":"Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."},{"lang":"en","time":"2019-01-26T00:00:00.000Z","value":"CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"},{"lang":"en","time":"2019-03-09T00:00:00.000Z","value":"CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"},{"lang":"en","time":"2025-07-08T00:00:00.000Z","value":"CVE-2014-125112 assigned by CPANSec."}],"title":"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution","workarounds":[{"lang":"en","value":"Set the \"secret\" option."}],"x_generator":{"engine":"cpansec-cna-tool 0.1"}}},"cveMetadata":{"assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","assignerShortName":"CPANSec","cveId":"CVE-2014-125112","datePublished":"2026-03-26T02:04:10.267Z","dateReserved":"2025-07-08T15:24:38.840Z","dateUpdated":"2026-03-26T14:53:30.210Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-26 03:16:00","lastModifiedDate":"2026-05-06 14:50:24","problem_types":["CWE-565","CWE-565 CWE-565 Reliance on Cookies without Validation and Integrity Checking"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:miyagawa:plack\\:\\:middleware\\:\\:session\\:\\:cookie:*:*:*:*:*:perl:*:*","versionEndExcluding":"0.23","matchCriteriaId":"B0973619-DAA2-4B3C-BF1E-5C1EDD60F202"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2014","CveId":"125112","Ordinal":"1","Title":"Plack::Middleware::Session::Cookie versions through 0.21 for Per","CVE":"CVE-2014-125112","Year":"2014"},"notes":[{"CveYear":"2014","CveId":"125112","Ordinal":"1","NoteData":"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.","Type":"Description","Title":"Plack::Middleware::Session::Cookie versions through 0.21 for Per"}]}}}