CVE-2025-40925
BaseFortify
Publication date: 2025-09-20
Last updated on: 2025-09-22
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bluefeet | starch | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-340 | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Starch software (version 0.14 and earlier) generating session IDs insecurely. The session ID generator uses predictable inputs such as a counter, epoch time, built-in random function, process ID, and internal Perl reference addresses, then hashes them with SHA-1. Because some of these inputs are guessable or come from a small set of values, the resulting session IDs are predictable. Predictable session IDs can allow attackers to guess or reproduce valid session identifiers, potentially gaining unauthorized access to systems. [1, 3]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to predict or guess session IDs used for authentication. This could enable unauthorized access to your systems or applications that rely on Starch for session management, leading to potential data breaches or unauthorized actions performed under a compromised session.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves predictable session IDs generated by Starch versions 0.14 and earlier. To detect it, you can monitor session IDs used by your application and check if they are predictable or generated using weak entropy sources. Since the original session IDs are SHA-1 hashes of a seed composed of counters, timestamps, PIDs, and other predictable data, you might attempt to capture session IDs and analyze their randomness or try to reproduce them if you have access to the system time and process information. Specific commands depend on your environment, but generally, you can capture HTTP traffic using tools like tcpdump or Wireshark to extract session IDs, then analyze them for predictability. For example, using tcpdump to capture HTTP traffic on port 80: `tcpdump -i any -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'` and then searching for session ID cookies or parameters. Additionally, you can review your Starch version and code to see if it uses the vulnerable session ID generation method described.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Starch to a version that includes the patch replacing the insecure session ID generation with a cryptographically secure method. The patch uses `Crypt::SysRandom::random_bytes(20)` to generate 20 bytes of secure random data for session IDs, eliminating predictability. If upgrading is not immediately possible, consider applying the patch from Resource 1 or Resource 3 manually, which replaces the weak seed-based SHA-1 session ID generation with secure random bytes. Also, ensure that the `Crypt::SysRandom` module is installed and available. Additionally, review your session management to invalidate existing sessions and require new sessions to be generated with the secure method. [1, 3]