CVE-2025-40924
BaseFortify
Publication date: 2025-07-17
Last updated on: 2025-07-17
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| perl | catalyst_plugin_session | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-340 | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Catalyst::Plugin::Session before version 0.44 for Perl, where session IDs are generated insecurely. The session ID is created using a hash (usually SHA-1) of low-entropy data including a simple counter, the epoch time, the built-in rand function, the process ID (PID), and the current Catalyst context. Because these inputs are predictable or guessable, the resulting session IDs are predictable.
How can this vulnerability impact me? :
Predictable session IDs could allow an attacker to guess or predict valid session identifiers, potentially enabling unauthorized access to user sessions or systems that rely on these session IDs for authentication or session management.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Catalyst::Plugin::Session to version 0.44 or later to ensure session IDs are generated securely with higher entropy, preventing predictability.