Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2014-125112

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 3 weeks, 2 days ago

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.

References

https://gist.github.com/miyagawa/2b8764af908a0dacd43d technical-description
https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/chang… release-notes
http://www.openwall.com/lists/oss-security/2026/03/26/2

Affected products

Plack-Middleware-Session

=<0.21

Matching in nixpkgs

pkgs.perlPackages.PlackMiddlewareSession

Middleware for session management

nixos-unstable 0.33
- nixpkgs-unstable 0.33
- nixos-unstable-small 0.33
nixos-25.11 0.33
- nixos-25.11-small 0.33
- nixpkgs-25.11-darwin 0.33

pkgs.perl5Packages.PlackMiddlewareSession

Middleware for session management

nixos-unstable 0.33
- nixpkgs-unstable 0.33
- nixos-unstable-small 0.33

pkgs.perl538Packages.PlackMiddlewareSession

Middleware for session management

nixos-25.11 0.33
- nixos-25.11-small 0.33
- nixpkgs-25.11-darwin 0.33

pkgs.perl540Packages.PlackMiddlewareSession

Middleware for session management

nixos-25.11 0.33
- nixos-25.11-small 0.33
- nixpkgs-25.11-darwin 0.33