CVE-2025-40931
Awaiting Analysis Awaiting Analysis - Queue
Predictable Session ID Vulnerability in Apache::Session::Generate::MD

Publication date: 2026-03-05

Last updated on: 2026-04-12

Assigner: CPANSec

Description
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-04-12
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-40931
EUVD
EUVD-2025-208297
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chorny apache to 1.94 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

I don't know

Executive Summary

The vulnerability exists in Apache::Session::Generate::MD5 versions through 1.94 for Perl, where session IDs are generated insecurely.

The default session ID generator creates an MD5 hash seeded with the built-in rand() function, the epoch time, and the process ID (PID).

Because the PID comes from a small set of numbers and the epoch time can be guessed or leaked, and the built-in rand() function is not suitable for cryptographic purposes, the resulting session IDs are predictable.

This predictability makes it possible for an attacker to guess or reproduce valid session IDs.

Impact Analysis

Because the session IDs are predictable, an attacker could potentially guess or generate valid session IDs.

This could allow the attacker to gain unauthorized access to user sessions or systems that rely on these session IDs for authentication or session management.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40931. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart