CVE-2024-58134 is a high-severity vulnerability affecting the Mojolicious web framework for Perl, specifically versions from 0.999922 through 9.40. The core issue is the use of a hard-coded cryptographic key or a predictable default secret (such as the application's class name) as the HMAC session secret. HMAC (Hash-based Message Authentication Code) is used to ensure the integrity and authenticity of session cookies. By relying on a static or easily guessable secret, the framework exposes session cookies to forgery attacks. An attacker who discovers or guesses this secret can generate valid HMAC signatures for session cookies, enabling them to tamper with session data or hijack other users' sessions without needing to authenticate or interact with the victim. This vulnerability stems from CWE-321 (Use of Hard-coded Cryptographic Key) and CWE-331 (Insufficient Entropy). The CVSS 3.1 base score is 8.1, reflecting high impact on confidentiality and integrity, with network attack vector, low attack complexity, and requiring low privileges but no user interaction. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be considered a significant risk for applications using affected Mojolicious versions without custom session secrets.

For European organizations, this vulnerability poses a substantial risk to web applications built on the Mojolicious Perl framework that have not overridden the default session secret. Successful exploitation allows attackers to hijack user sessions, potentially gaining unauthorized access to sensitive information, user accounts, or administrative functions. This can lead to data breaches, unauthorized transactions, and loss of user trust. Sectors such as finance, healthcare, government, and e-commerce, which often handle sensitive personal and financial data, are particularly vulnerable. The ability to forge session cookies without user interaction or elevated privileges increases the likelihood of automated or remote exploitation. Additionally, compromised sessions could facilitate further lateral movement within an organization's network. Given the widespread use of Perl in legacy and niche web applications across Europe, the impact can be broad, especially where patching or secret customization has not been enforced.

European organizations should immediately audit their Mojolicious-based applications to determine if they use affected versions (0.999922 through 9.40) and whether the default HMAC session secret is in use. The primary mitigation is to configure a strong, unique, and unpredictable session secret explicitly rather than relying on the default. This secret should be generated using a cryptographically secure random number generator and stored securely, for example, in environment variables or secure vaults. Organizations should upgrade to the latest Mojolicious version where this issue is fixed or patched. Additionally, implement monitoring for unusual session activity and consider adding multi-factor authentication to reduce the impact of session hijacking. Web application firewalls (WAFs) can be tuned to detect anomalous session cookie manipulations. Regular security code reviews and penetration testing focusing on session management should be conducted. Finally, educate developers about the risks of hard-coded secrets and enforce secure coding practices to prevent similar vulnerabilities.