GHSA-3m67-fq74-f4qgMediumCVSS 5.3

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. ...

Published
June 18, 2026
Last Modified
June 18, 2026

🔗 CVE IDs covered (1)

📋 Description

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely.

The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID.

These are predictable or low-entropy sources that are unsuitable for security purposes.

🔗 References (6)