CVE-2014-125112

Critical

Published: 26 March 2026

Published

26 March 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no…

secret used to sign the cookie.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely remediation through updating to Plack::Middleware::Session::Cookie version 0.23 or later, which enforces proper cookie signing during deserialization.

SI-7 Software, Firmware, and Information Integrity good match

prevent

Requires cryptographic mechanisms to verify the integrity of software and information such as session cookies, preventing execution of tampered deserialized data lacking a signing secret.

SI-10 Information Input Validation good match

prevent

Mandates validation of information inputs like cookies to reject malformed or malicious serialized payloads before deserialization processing on the server.

Security SummaryAI

CVE-2014-125112 is a remote code execution vulnerability in Plack::Middleware::Session::Cookie versions through 0.21 for Perl. The flaw occurs during deserialization of cookie data when no secret is used to sign the cookie, allowing attackers to inject and execute arbitrary code on the affected server. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-565 (Reliance on Cookies without Validation and Integrity Checking).

A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted cookie to a vulnerable application. No user interaction or privileges are required, and exploitation requires low complexity over the network. Successful exploitation grants the attacker full control over the server, enabling high-impact compromise of confidentiality, integrity, and availability through arbitrary code execution.

Advisories and release notes, including a GitHub Gist by the maintainer, changes in Plack::Middleware::Session 0.23-TRIAL on MetaCPAN, and an oss-security mailing list post dated 2026-03-26, detail the issue and mitigation. Practitioners should update to Plack::Middleware::Session::Cookie version 0.23 or later, which addresses the deserialization flaw by enforcing proper signing.

Details

CWE(s): CWE-565

Affected Products

miyagawa

plack\

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote unauthenticated arbitrary code execution via specially crafted cookies in a public-facing Plack middleware for Perl web applications, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://gist.github.com/miyagawa/2b8764af908a0dacd43d
Third Party Advisory · 9b29abf9-4ab0-4765-b253-1875cd9b441e
https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes
Release Notes · 9b29abf9-4ab0-4765-b253-1875cd9b441e
http://www.openwall.com/lists/oss-security/2026/03/26/2
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108