{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2014-125112","assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","state":"PUBLISHED","assignerShortName":"CPANSec","dateReserved":"2025-07-08T15:24:38.840Z","datePublished":"2026-03-26T02:04:10.267Z","dateUpdated":"2026-03-26T14:53:30.210Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Plack-Middleware-Session","product":"Plack::Middleware::Session::Cookie","repo":"https://github.com/plack/Plack-Middleware-Session","vendor":"MIYAGAWA","versions":[{"lessThanOrEqual":"0.21","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"mala (@bulkneets)"}],"descriptions":[{"lang":"en","value":"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."}],"impacts":[{"capecId":"CAPEC-586","descriptions":[{"lang":"en","value":"CAPEC-586 Object Injection"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-565","description":"CWE-565 Reliance on Cookies without Validation and Integrity Checking","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec","dateUpdated":"2026-03-26T02:04:10.267Z"},"references":[{"tags":["technical-description"],"url":"https://gist.github.com/miyagawa/2b8764af908a0dacd43d"},{"tags":["release-notes"],"url":"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"}],"solutions":[{"lang":"en","value":"Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."}],"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2014-08-11T00:00:00.000Z","value":"Vulnerability disclosed by MIYAGAWA."},{"lang":"en","time":"2014-08-11T00:00:00.000Z","value":"Version 0.22 released that warns when the \"secret\" option is not set."},{"lang":"en","time":"2014-08-11T00:00:00.000Z","value":"Version 0.23-TRIAL released that requires the \"secret\" option to be set."},{"lang":"en","time":"2014-09-05T00:00:00.000Z","value":"Version 0.24 released. Same as 0.23 but not a trial release."},{"lang":"en","time":"2016-02-03T00:00:00.000Z","value":"Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."},{"lang":"en","time":"2019-01-26T00:00:00.000Z","value":"CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"},{"lang":"en","time":"2019-03-09T00:00:00.000Z","value":"CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"},{"lang":"en","time":"2025-07-08T00:00:00.000Z","value":"CVE-2014-125112 assigned by CPANSec."}],"title":"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution","workarounds":[{"lang":"en","value":"Set the \"secret\" option."}],"x_generator":{"engine":"cpansec-cna-tool 0.1"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/03/26/2"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-03-26T04:46:57.862Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-03-26T14:52:33.130571Z","id":"CVE-2014-125112","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-26T14:53:30.210Z"}}]}}