HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Tokuhirom Http\
cpe:2.3:a:tokuhirom:http\:\:session2:*:*:*:*:*:perl:*:*
|
— |
<= 1.09
|
References 4
https://github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59…
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://metacpan.org/pod/Cache::Memcached::Fast::Safe
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.10/source/Changes
9b29abf9-4ab0-4765-b253-1875cd9b441e
http://www.openwall.com/lists/oss-security/2026/02/27/13
af854a3a-2127-422b-91ae-364da2661108