CVE-2025-40905
Insecure Randomness in WWW::OAuth Perl Causes Cryptographic Weakness
Publication date: 2026-02-13
Last updated on: 2026-03-10
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dbook | www | to 1.000 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
The vulnerability in CVE-2025-40905 affects the Perl module WWW::OAuth version 1.000 and earlier. This module uses the rand() function as the default source of entropy for cryptographic functions. However, rand() is not cryptographically secure, meaning it can produce predictable values that weaken the security of cryptographic operations.
Because the module relies on this insecure source of randomness, the cryptographic signatures it generates for OAuth 1.0 authentication could potentially be predicted or reproduced by an attacker, undermining the security guarantees of the OAuth signing process.
How can this vulnerability impact me? :
This vulnerability can impact you by weakening the security of OAuth 1.0 authentication in applications using the affected WWW::OAuth Perl module. Since the entropy source for cryptographic functions is not secure, attackers might predict or reproduce OAuth signatures.
This could allow attackers to impersonate legitimate clients or tamper with signed HTTP requests, potentially leading to unauthorized access to protected resources or data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability arises because WWW::OAuth 1.000 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
To mitigate this vulnerability, you should avoid using versions of WWW::OAuth that rely on the insecure rand() function for entropy.
Consider updating to a version of WWW::OAuth that uses a cryptographically secure source of entropy instead of rand(), or apply patches if available.
Additionally, review your usage of the module to ensure that cryptographic operations are not relying on insecure randomness sources.