CVE-2018-25160
MEDIUM EPSS 32.2%
Published Feb 27, 20264mo ago · Modified Mar 18, 20263mo ago
6.5 CVSS 3.1
Published Feb 27, 2026 4mo ago
Last Modified Mar 18, 2026 3mo ago
Description
HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
32.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-20 Improper Input Validation Validation
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| tokuhirom | http\ | \ | ≤1.09 |
References 4
- openwall.com http://www.openwall.com/lists/oss-security/2026/02/27/13
- github.com https://github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59b941b5d3e6d.patch
- metacpan.org https://metacpan.org/pod/Cache::Memcached::Fast::Safe
- metacpan.org https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.10/source/Changes
Remediation
- github.com https://github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59b941b5d3e6d.patch