CVE-2026-5082
Received Received - Intake
Insecure Session ID Generation in Amon2::Plugin::Web::CSRFDefender

Publication date: 2026-04-08

Last updated on: 2026-04-23

Assigner: CPANSec

Description
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604. Note that the author has deprecated this module.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-23
Generated
2026-05-06
AI Q&A
2026-04-08
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5082
EUVD
EUVD-2026-20060
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tokuhirom amon2 From 7.00 (inc) to 7.03 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl, where the module generates insecure session IDs.

The function generate_session_id tries to read 30 bytes from /dev/urandom to create a cryptographically strong random session ID. If /dev/urandom is unavailable, it falls back to generating a session ID using a SHA-1 hash seeded with the built-in rand() function, the process ID (PID), and a high-resolution timestamp.

This fallback method is insecure because the built-in rand() function is not suitable for cryptographic purposes, the PID comes from a small set of numbers, and the timestamp can be guessed or leaked, making the session ID predictable and vulnerable to attacks.

The module author has deprecated this plugin, and earlier versions before 7.00 were also vulnerable due to a related issue (CVE-2025-15604).


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to predict or guess session IDs generated by the vulnerable module.

Predictable session IDs can lead to session hijacking, where an attacker impersonates a legitimate user by using their session ID.

This compromises the security of web applications using this module for CSRF defense, potentially exposing sensitive user data or allowing unauthorized actions.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves verifying whether the Amon2::Plugin::Web::CSRFDefender module version 7.00 through 7.03 is in use and whether the session IDs are generated using the insecure fallback method instead of reading from /dev/urandom.

You can check the version of the installed module by inspecting the Perl environment or the application dependencies.

  • Check the installed version of Amon2::Plugin::Web::CSRFDefender in your Perl environment, for example by running: perl -MAmon2::Plugin::Web::CSRFDefender -e 'print $Amon2::Plugin::Web::CSRFDefender::VERSION . "\n";'
  • Inspect application logs or debug output to see if warnings about failing to open /dev/urandom are present, which indicates fallback to the insecure session ID generation.
  • Monitor session IDs generated by the application; if they appear predictable or follow a pattern based on process ID and timestamps, this may indicate use of the insecure fallback method.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include ensuring that the module uses the secure method of generating session IDs by confirming that /dev/urandom is accessible on the system.

If /dev/urandom is not available, consider upgrading the environment to support it or migrating to a different module or method that provides cryptographically secure session ID generation.

Since the author has deprecated this module, consider replacing Amon2::Plugin::Web::CSRFDefender with a maintained alternative that uses secure random number generation.

  • Verify and restore access to /dev/urandom on the system to enable strong random session ID generation.
  • Upgrade or patch the module if a fixed version becomes available.
  • Replace the deprecated module with a secure, actively maintained alternative.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 involves generating insecure session IDs when /dev/urandom is unavailable, relying instead on a weaker, predictable method. This insecure session ID generation can lead to session hijacking or impersonation attacks.

Such weaknesses in session management can undermine the confidentiality and integrity of user sessions, potentially leading to unauthorized access to personal or sensitive data.

Consequently, this vulnerability may impact compliance with standards and regulations like GDPR and HIPAA, which require appropriate technical measures to protect personal and health information against unauthorized access and ensure secure session management.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart