CVE-2025-40931
Predictable Session ID Vulnerability in Apache::Session::Generate::MD
Publication date: 2026-03-05
Last updated on: 2026-04-12
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chorny | apache | to 1.94 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| CWE-340 | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
The vulnerability exists in Apache::Session::Generate::MD5 versions through 1.94 for Perl, where session IDs are generated insecurely.
The default session ID generator creates an MD5 hash seeded with the built-in rand() function, the epoch time, and the process ID (PID).
Because the PID comes from a small set of numbers and the epoch time can be guessed or leaked, and the built-in rand() function is not suitable for cryptographic purposes, the resulting session IDs are predictable.
This predictability makes it possible for an attacker to guess or reproduce valid session IDs.
How can this vulnerability impact me? :
Because the session IDs are predictable, an attacker could potentially guess or generate valid session IDs.
This could allow the attacker to gain unauthorized access to user sessions or systems that rely on these session IDs for authentication or session management.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know