Primary

Context

Plack Middleware Session Cookie Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in Plack::Middleware::Session::Cookie versions prior to 0.21 for Perl. The issue arises during the deserialization of cookie data when no secret is used to sign the cookie, allowing an attacker to execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the affected middleware is used.

Remediation

Users of Plack::Middleware::Session::Cookie should update to version 0.22 or later, which includes a warning when the secret option is not set. Version 0.23 TRIAL is also available, which refuses to run without a secret and provides an error message at startup. Additionally, the secret option should be set when using the middleware.

Added: Mar 26, 2026, 3:21 AM

Updated: Mar 26, 2026, 3:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

4.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

4.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Plack Middleware Session Cookie Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating