CVE-2025-15618
Insecure Key Generation in Business::OnlinePayment::StoredTransaction Module
Publication date: 2026-03-31
Last updated on: 2026-04-13
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mock | business | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Business::OnlinePayment::StoredTransaction involves the use of an insecure secret key generated by an MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.
Since this secret key is used to encrypt credit card transaction data, the weakness in key generation could lead to insufficient protection of sensitive payment information.
This inadequate encryption strength may result in non-compliance with common standards and regulations such as GDPR and HIPAA, which require strong protection of personal and payment data to prevent unauthorized access and data breaches.
Therefore, the vulnerability undermines the confidentiality and security controls expected under these regulations, potentially exposing organizations to legal and financial penalties.
Can you explain this vulnerability to me?
The vulnerability in Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl arises because it generates a secret key for encrypting credit card transaction data using an MD5 hash of a single call to the built-in rand() function. This method produces weak randomness and is unsuitable for cryptographic purposes.
Since the secret key is used to symmetrically encrypt sensitive transaction data, the weak key generation method makes it easier for attackers to potentially guess or reproduce the key, compromising the confidentiality of stored credit card information.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive credit card transaction data because the encryption key protecting this data is generated using a weak and predictable method.
If an attacker can predict or reproduce the secret key, they could decrypt stored transaction data, leading to potential financial fraud, identity theft, and loss of customer trust.
Additionally, compromised transaction data could result in legal and financial consequences for the organization responsible for protecting this information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the use of an insecure secret key generation method in the Business::OnlinePayment::StoredTransaction Perl module, specifically generating the secret key using an MD5 hash of a single call to the built-in rand() function.
To detect this vulnerability on your system, you can check if the affected Perl module version (0.01 or earlier) is installed and in use.
Suggested commands to detect the vulnerable module and its version:
- Check if the module is installed and its version: perl -MBusiness::OnlinePayment::StoredTransaction -e 'print $Business::OnlinePayment::StoredTransaction::VERSION . "\n";'
- Search for the usage of the vulnerable key generation code in your Perl scripts or modules: grep -r 'md5_hex(rand())' /path/to/your/perl/code
- Audit your codebase for calls to Business::OnlinePayment::StoredTransaction and verify if the secret key generation uses the insecure method.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Business::OnlinePayment::StoredTransaction module to a version that replaces the insecure secret key generation method.
Specifically, the insecure generation of the secret key using MD5 of rand() should be replaced with a cryptographically secure random number generator, such as Crypt::URandom's urandom function.
- Apply the patch that replaces the secret key generation line from Digest::MD5::md5_hex(rand()) to Crypt::URandom::urandom(56).
- Ensure that the Crypt::URandom module is installed and included as a dependency.
- After patching, re-deploy the updated module and verify that the encryption process uses the new secure key generation.
Additionally, maintain secure storage of the RSA private key separately from the encrypted data to preserve confidentiality.