Home > Vulnerability Database > CVE-2024-58135

Mend.io Vulnerability Database

CVE-2024-58135

Date: May 3, 2025

Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

Severity Score

5.3

Related Resources (10)

Url: https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181

Url: https://security-tracker.debian.org/tracker/CVE-2024-58135

Url: https://github.com/mojolicious/mojo/pull/2200

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-58135

Url: https://github.com/hashcat/hashcat/pull/4090

Url: https://security.metacpan.org/docs/guides/random-data-for-security.html

Url: https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202

Url: https://perldoc.perl.org/functions/rand

Url: https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220

Url: https://www.mend.io/vulnerability-database/CVE-2024-58135

Severity Score

5.3

Weakness Type (CWE)

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE-338

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-58135

Date: May 3, 2025

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?