plack/Plack-Middleware-Session

plack/Plack-Middleware-Session

Releases29

Frequency6 months 2 weeks

Last Release 12 months ago

Stars40

A very minimalist session library for Plack

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2013-10031 ↗	Dec 9, 2025Tuesday, 9 December 2025, 01:16	7.5 HIGH	—
Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks
CVE-2025-40923 ↗	Jul 16, 2025Wednesday, 16 July 2025, 13:15	7.3 HIGH	—
Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.