CVE-2024-58135 is a medium-severity vulnerability affecting the Mojolicious web framework for Perl, specifically versions from 7.28 through 9.40. The issue arises from the use of a cryptographically weak pseudo-random number generator (PRNG), specifically the standard rand() function, when generating HMAC session secrets during the creation of a default application via the "mojo generate app" tool. This weak secret is written directly into the application's configuration file and subsequently used to authenticate and protect the integrity of user sessions. Because rand() is not designed for cryptographic purposes, the generated secrets are predictable and susceptible to brute force attacks. An attacker with network access could exploit this vulnerability to guess or brute force session keys, potentially allowing session hijacking or impersonation without needing any prior authentication or user interaction. The vulnerability is classified under CWE-338, highlighting the use of a weak PRNG in security-critical contexts. Although no known exploits are currently reported in the wild, the vulnerability's presence in a widely used Perl web framework means that applications relying on default configurations are at risk. The CVSS v3.1 base score is 5.3 (medium), reflecting the network attack vector, low complexity, no privileges required, and no user interaction needed, but limited impact confined to confidentiality (session key exposure) without direct integrity or availability compromise. No official patches are linked yet, so mitigation requires manual intervention or updates when available.

For European organizations using Mojolicious in their web applications, this vulnerability poses a tangible risk to session security. Attackers could potentially hijack user sessions by brute forcing weak HMAC secrets, leading to unauthorized access to sensitive data or user accounts. This is particularly concerning for sectors handling personal data under GDPR, such as finance, healthcare, and e-commerce, where session compromise can lead to data breaches and regulatory penalties. The impact is primarily on confidentiality, as session keys can be exposed, but the integrity and availability of the application remain unaffected. Since exploitation requires no authentication or user interaction, attackers can remotely target vulnerable applications over the network, increasing the attack surface. However, the absence of known exploits in the wild suggests that exploitation may require some effort or specific conditions. Organizations relying on default app generation without customizing or strengthening session secrets are most vulnerable. The medium severity score indicates a moderate risk that should be addressed promptly to prevent potential session hijacking incidents.

European organizations should take the following specific steps to mitigate this vulnerability: 1) Immediately audit all Mojolicious applications, especially those created with the "mojo generate app" tool, to identify usage of default or weak session secrets. 2) Replace any secrets generated using the insecure rand() function with cryptographically secure random values, such as those generated by Perl's Crypt::PRNG modules or system sources like /dev/urandom. 3) Avoid relying on default configurations; explicitly set strong, high-entropy secrets in application configuration files. 4) Monitor Mojolicious project updates and apply official patches or upgrades as soon as they become available, ensuring versions beyond 9.40 are used if they address this issue. 5) Implement additional session security controls such as short session lifetimes, secure cookie flags (HttpOnly, Secure), and session invalidation on logout to reduce the window of opportunity for attackers. 6) Conduct penetration testing focused on session management to verify the effectiveness of mitigations. 7) Educate developers about the risks of using non-cryptographic PRNGs in security contexts to prevent similar issues in future development.