Security Advisories (1)

CVE-2025-40925 (2025-09-20)

Starch versions 0.14 and earlier generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Starch::Plugin::Trace - Add extra trace logging to your manager, states, and stores.

SYNOPSIS

my $starch = Starch->new(
    plugins => ['::Trace'],
    ....,
);

DESCRIPTION

This plugin logs a lot of debug information to Log::Any under the trace level.

See the Log::Any documentation for instructions on how to output these log messages using an adapter.

This plugin is meant for non-production use, as logging will reduce performance.

MANAGER LOGGING

These messages are logged from the Starch::Manager object.

new

Every time a Starch::Manager object is created a message is logged in the format of starch.manager.new.

state

Every call to "state" in Starch::Manager is logged in the format of starch.manager.state.$action.$state_id, where $action is either retrieve or create depending on if the state ID was provided.

STATE LOGGING

These messages are logged from the Starch::State object.

new

Every time a Starch::State object is created a message is logged in the format of starch.state.new.$state_key.

save

Every call to "force_save" in Starch::State (which save calls if the state isn't dirty) is logged in the format of starch.state.save.$state_id.

reload

Every call to "force_reload" in Starch::State (which reload calls if the state isn't dirty) is logged in the format of starch.state.reload.$state_id.

mark_clean

Every call to "mark_clean" in Starch::State is logged in the format of starch.state.mark_clean.$state_id.

rollback

Every call to "rollback" in Starch::State is logged in the format of starch.state.rollback.$state_id.

delete

Every call to "force_delete" in Starch::State (which delete calls if the state is in the store) is logged in the format of starch.state.delete.$state_id.

generate_id

Every call to "generate_id" in Starch::State is logged in the format of starch.state.generate_id.$state_id.

STORE LOGGING

These messages are logged from the Starch::Store object.

The $store_name bits in the below log messages will be the name of the store class minus the Starch::Store:: bit.

new

Every time a Starch::Store object is created a message is logged in the format of starch.store.$store_name.new.

set

Every call to "set" in Starch::Store is logged in the format of starch.store.$store_name.set.$state_key.

get

Every call to "get" in Starch::Store is logged in the format of starch.store.$store_name.get.$state_key.

If the result of calling get is undefined then an additional log will produced of the format starch.store.$store_name.get.$state_key.missing.

remove

Every call to "remove" in Starch::Store is logged in the format of starch.store.$store_name.remove.$state_key.

AUTHORS AND LICENSE

See "AUTHOR" in Starch, "CONTRIBUTORS" in Starch, and "LICENSE" in Starch.

To install Starch, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Starch

CPAN shell

perl -MCPAN -e shell
install Starch

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)