2025-05-03 10:16:10
CPANSec
PUBLISHED
Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the applications configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the applications sessions. This may allow an attacker to brute force the applications session keys.