CVE-2025-40923

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/plack/Plack-Middleware-Session/commit/1fbfbb355e34e7f4b3906f66cf958cedadd2b9be.patch
https://github.com/plack/Plack-Middleware-Session/pull/52
https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.34/source/lib/Plack/Session/State.pm#L22
https://security.metacpan.org/docs/guides/random-data-for-security.html

Configurations

No configuration.

History

16 Jul 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-16 13:15

Updated : 2025-07-16 21:15

NVD link : CVE-2025-40923

Mitre link : CVE-2025-40923

CVE.ORG link : CVE-2025-40923

JSON object : View

Products Affected

No product.

CWE

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE-340

Generation of Predictable Numbers or Identifiers

7.3 /10