CVE-2014-125112
published 2026-03-26CVE-2014-125112: Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.83%
53.0th percentile
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libplack-middleware-session-perl | < libplack-middleware-session-perl 0.24-1 (bookworm) | libplack-middleware-session-perl 0.24-1 (bookworm) |
| miyagawa | plack | < 0.23 | 0.23 |
| miyagawa | plack_middleware_session_cookie | <= 0.21 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker crafts a malicious session cookie containing serialized (Storable) objects to achieve RCE via deserialization when no secret is configured ↗
- →Vulnerable deserialization occurs specifically in Plack::Middleware::Session::Cookie when session data is deserialized using Storable::thaw — monitor for anomalous or oversized session cookie values in HTTP requests to Perl/Plack applications ↗
- →Exploitation is only possible when the 'secret' parameter is not configured or is compromised — audit Plack app configurations for missing or weak session signing secrets ↗
- →Affected component is Plack::Middleware::Session::Cookie versions through 0.21; flag any Perl/Plack deployments running this version range ↗
- ·The vulnerability only exists when the 'secret' parameter is absent or compromised — deployments with a properly configured secret are not exploitable via this vector ↗
- ·Fixed in package version 0.24-1 on Debian (bookworm, bullseye, forky, sid, trixie); upgrade to at least 0.22+ to remediate ↗
- ·No supported Fedora versions are impacted by this CVE ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Plack::Middleware::Session::Cookie: perl: Plack::Middleware::Session::Cookie: Remote code execution via deserialization of unsigned cookie data
vendor_redhat·2026-03-26·CVSS 9.8
CVE-2014-125112 [CRITICAL] CWE-565 Plack::Middleware::Session::Cookie: perl: Plack::Middleware::Session::Cookie: Remote code execution via deserialization of unsigned cookie data
Plack::Middleware::Session::Cookie: perl: Plack::Middleware::Session::Cookie: Remote code execution via deserialization of unsigned cookie data
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
A vulnerability was identified in Plack::Middleware::Session::Cookie when session data is deserialized from cookies using Storable::thaw. If the secret parameter is not configured or is compromised, an attacker can craft a malicious session cookie containing serialized objects. Because Storable::thaw processes
Debian
CVE-2014-125112: libplack-middleware-session-perl - Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote ...
vendor_debian·2014·CVSS 9.8
CVE-2014-125112 [CRITICAL] CVE-2014-125112: libplack-middleware-session-perl - Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote ...
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Scope: local
bookworm: resolved (fixed in 0.24-1)
bullseye: resolved (fixed in 0.24-1)
forky: resolved (fixed in 0.24-1)
sid: resolved (fixed in 0.24-1)
trixie: resolved (fixed in 0.24-1)
OSV
CVE-2014-125112: Plack::Middleware::Session::Cookie versions through 0
osv·2026-03-26·CVSS 9.8
CVE-2014-125112 [CRITICAL] CVE-2014-125112: Plack::Middleware::Session::Cookie versions through 0
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
GHSA
GHSA-58qr-v987-vh6w: Plack::Middleware::Session::Cookie versions through 0
ghsa_unreviewed·2026-03-26
CVE-2014-125112 [CRITICAL] CWE-565 GHSA-58qr-v987-vh6w: Plack::Middleware::Session::Cookie versions through 0
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-125112 Plack::Middleware::Session::Cookie: Plack::Middleware::Session::Cookie: Remote code execution via deserialization of unsigned cookie data
bugzilla·2026-03-26·CVSS 9.8
CVE-2014-125112 [CRITICAL] CVE-2014-125112 Plack::Middleware::Session::Cookie: Plack::Middleware::Session::Cookie: Remote code execution via deserialization of unsigned cookie data
CVE-2014-125112 Plack::Middleware::Session::Cookie: Plack::Middleware::Session::Cookie: Remote code execution via deserialization of unsigned cookie data
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Bugzilla
CVE-2014-125112 perl-Plack-Middleware-Session: Plack::Middleware::Session::Cookie: Remote code execution via deserialization of unsigned cookie data [fedora-all]
bugzilla·2026-03-26·CVSS 9.8
CVE-2014-125112 [CRITICAL] CVE-2014-125112 perl-Plack-Middleware-Session: Plack::Middleware::Session::Cookie: Remote code execution via deserialization of unsigned cookie data [fedora-all]
CVE-2014-125112 perl-Plack-Middleware-Session: Plack::Middleware::Session::Cookie: Remote code execution via deserialization of unsigned cookie data [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
CVE-2014-125112 affected Plack-Middleware-Session versions ≤ 0.21. No supported versions of Fedora are impacted.
Wiz
CVE-2014-125112 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2014-125112 [CRITICAL] CVE-2014-125112 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2014-125112 :
Linux Debian vulnerability analysis and mitigation
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Source : NVD
## 9.8
Score
Published March 26, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Linux Debian
Echo
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
libplack-middleware-session-per
2026-03-26
Published