Home / Vulnerability Intelligence / CVE-2014-125112

CVE-2014-125112 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 26, 2026

Plack::Middleware::Session::Cookie - Remote Code Execution

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Plack::Middleware::Session::Cookie <= 0.21 for Perl contains an insecure deserialization vulnerability caused by lack of cookie signing secret, letting remote attackers execute arbitrary code during cookie deserialization, exploit requires unsigned cookies.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.

Mitigation

Update to a version later than 0.21 or apply cookie signing with a secret.

References

https://gist.github.com/miyagawa/2b8764af908a0dacd43d
https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes
http://www.openwall.com/lists/oss-security/2026/03/26/2

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2014-125112
Severity: Critical
CVSS Score: 9.8
Type: insecure_deserialization
Status: unconfirmed

CWE

CWE-565

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H