CVE-2026-3255
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-02-27

Last updated on: 2026-03-04

Assigner: CPANSec

Description
HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage. HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-04
Generated
2026-05-07
AI Q&A
2026-02-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3255
EUVD
EUVD-2026-9063
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tokuhirom http to 1.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in HTTP::Session2 versions before 1.12 for Perl, where the session ID generator uses the built-in rand() function to create session IDs. The rand() function is not suitable for cryptographic purposes, resulting in weak session IDs.

The session ID is generated by hashing a combination of the rand() output, the epoch time, and the process ID (PID) using SHA-1. However, the PID comes from a small set of numbers, and the epoch time can be guessed or leaked, making the session IDs predictable.

Although versions after 1.02 try to use /dev/urandom for better randomness, if this device is unavailable (such as on Windows systems), the insecure method using rand() is still used.


How can this vulnerability impact me? :

The use of weak session IDs can allow attackers to predict or guess valid session identifiers, potentially enabling session hijacking.

If an attacker can guess a session ID, they may gain unauthorized access to a user's session, leading to data exposure, privilege escalation, or unauthorized actions within the affected application.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade HTTP::Session2 to version 1.12 or later, where the session id generation no longer relies on the insecure rand() function.

If upgrading is not immediately possible, ensure that the /dev/urandom device is available and used for session id generation, as HTTP::Session2 after version 1.02 attempts to use it before falling back to the insecure method.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart