CVE-2025-40923
BaseFortify
Publication date: 2025-07-16
Last updated on: 2025-11-04
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| plack | plack-session | * |
| plack | plack-middleware-session | * |
| crypt | sysrandom | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-340 | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Plack-Middleware-Session versions before 0.35 for Perl, where session IDs are generated insecurely. The default session ID generator uses a SHA-1 hash seeded with the built-in rand function, the epoch time, and the process ID (PID). Since the PID comes from a small set of numbers and the epoch time can be guessed or leaked, and because the built-in rand function is not suitable for cryptographic purposes, the generated session IDs are predictable.
How can this vulnerability impact me? :
Because the session IDs are predictable, an attacker could potentially guess or reproduce valid session IDs, allowing them to gain unauthorized access to user sessions and systems that rely on these session IDs for authentication.