cbcvebase.
CVE-2014-125112
published 2026-03-26

CVE-2014-125112: Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.83%
53.0th percentile
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianlibplack-middleware-session-perl< libplack-middleware-session-perl 0.24-1 (bookworm)libplack-middleware-session-perl 0.24-1 (bookworm)
miyagawaplack< 0.230.23
miyagawaplack_middleware_session_cookie<= 0.21

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker crafts a malicious session cookie containing serialized (Storable) objects to achieve RCE via deserialization when no secret is configured
  • Vulnerable deserialization occurs specifically in Plack::Middleware::Session::Cookie when session data is deserialized using Storable::thaw — monitor for anomalous or oversized session cookie values in HTTP requests to Perl/Plack applications
  • Exploitation is only possible when the 'secret' parameter is not configured or is compromised — audit Plack app configurations for missing or weak session signing secrets
  • Affected component is Plack::Middleware::Session::Cookie versions through 0.21; flag any Perl/Plack deployments running this version range
  • ·The vulnerability only exists when the 'secret' parameter is absent or compromised — deployments with a properly configured secret are not exploitable via this vector
  • ·Fixed in package version 0.24-1 on Debian (bookworm, bullseye, forky, sid, trixie); upgrade to at least 0.22+ to remediate
  • ·No supported Fedora versions are impacted by this CVE

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.