CVE-2018-25160

MEDIUM EPSS 32.2%
Published Feb 27, 20264mo ago · Modified Mar 18, 20263mo ago
6.5 CVSS 3.1
Medium
Find Similar
Published Feb 27, 2026 4mo ago
Last Modified Mar 18, 2026 3mo ago

Description

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.

CVSS Details

Base Score
6.5
Exploitability
3.9
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
32.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 1

VendorProductVersionRange
tokuhiromhttp\\ ≤1.09

References 4

  • openwall.com http://www.openwall.com/lists/oss-security/2026/02/27/13
    Mailing ListThird Party Advisory
  • github.com https://github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59b941b5d3e6d.patch
    Patch
  • metacpan.org https://metacpan.org/pod/Cache::Memcached::Fast::Safe
    Third Party Advisory
  • metacpan.org https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.10/source/Changes
    ProductRelease Notes

Remediation

  • github.com https://github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59b941b5d3e6d.patch
    Patch