CVE-2026-3255
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-02-27

Last updated on: 2026-03-04

Assigner: CPANSec

Description
HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage. HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3255
EUVD
EUVD-2026-9063
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tokuhirom http to 1.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in HTTP::Session2 versions before 1.12 for Perl, where the session ID generator uses the built-in rand() function to create session IDs. The rand() function is not suitable for cryptographic purposes, resulting in weak session IDs.

The session ID is generated by hashing a combination of the rand() output, the epoch time, and the process ID (PID) using SHA-1. However, the PID comes from a small set of numbers, and the epoch time can be guessed or leaked, making the session IDs predictable.

Although versions after 1.02 try to use /dev/urandom for better randomness, if this device is unavailable (such as on Windows systems), the insecure method using rand() is still used.

Impact Analysis

The use of weak session IDs can allow attackers to predict or guess valid session identifiers, potentially enabling session hijacking.

If an attacker can guess a session ID, they may gain unauthorized access to a user's session, leading to data exposure, privilege escalation, or unauthorized actions within the affected application.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade HTTP::Session2 to version 1.12 or later, where the session id generation no longer relies on the insecure rand() function.

If upgrading is not immediately possible, ensure that the /dev/urandom device is available and used for session id generation, as HTTP::Session2 after version 1.02 attempts to use it before falling back to the insecure method.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3255. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart