Skip to content

Instantly share code, notes, and snippets.



Last active Aug 29, 2015
What would you like to do?
Plack::Middleware::Session::Cookie vulnerability

Aug 11, 2014

Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.

If you use Plack::Middleware::Session::Cookie, you're required to pass a secret option to the middleware. The value of the secret key must obviously be kept private.

  • Version 0.22 is released today, which gives you a big WARNING when it is enabled without a secret set.
  • Version 0.23 TRIAL is released, which refuses to run without a secret set, giving an error message on the startup. This will become a non-trial release in a few days.


  • Set secret option to the middleware
  • Use your own serializer/deserializer classes that are not Storable


Because the middleware uses Storable module, an attacker could carefully craft a binary that could call DESTROY method on arbitrary classes (see perldoc Storable for SECURITY WARNING). Future versions of the middleware will change the default serialization method.

Thanks to mala (@bulkneets) for reporting this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment