CVE-2024-58040
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-30

Last updated on: 2026-03-09

Assigner: CPANSec

Description
Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-30
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-15
NVD
CVE-2024-58040
EUVD
EUVD-2024-55029
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qwer crypt *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-331 The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Crypt::RandomEncryption version 0.01 is due to its use of the insecure rand() function during encryption. This Perl module implements encryption based on the RC4 algorithm with an added randomized encoding layer. However, the randomness used for encoding relies on the insecure rand() function, which can produce predictable random values. This weak randomness undermines the security of the encryption, potentially allowing attackers to predict or reproduce parts of the encrypted output, reducing the overall confidentiality of the encrypted data. [1]

Impact Analysis

This vulnerability can impact you by weakening the security of any data encrypted using Crypt::RandomEncryption version 0.01. Because the rand() function used for randomization is insecure and predictable, attackers may be able to analyze or guess the random characters interleaved in the ciphertext, making it easier to decrypt or tamper with the encrypted data without the key. This compromises the confidentiality and integrity of sensitive information protected by this module. [1]

Detection Guidance

This vulnerability arises from the use of the insecure rand() function in the Crypt::RandomEncryption Perl module version 0.01 during encryption. To detect its presence on your system, you can check if this specific Perl module version is installed. For example, you can run the command `perl -MCrypt::RandomEncryption -e 'print $Crypt::RandomEncryption::VERSION'` to see the installed version. Additionally, scanning your codebase or scripts for usage of Crypt::RandomEncryption module can help identify potential vulnerable usage. Network detection is difficult as the vulnerability is internal to the encryption method, but monitoring for encrypted traffic generated by this module might be possible if you know the encryption patterns. No specific network commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of Crypt::RandomEncryption version 0.01 due to its reliance on the insecure rand() function. If you are using this module, replace it with a more secure encryption library that does not use insecure random number generation. If updating or replacing the module is not immediately possible, avoid using the encryption functionality or limit its use to non-sensitive data until a secure version is available. Additionally, review your encryption keys and consider re-encrypting sensitive data with a secure method. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58040. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart