CVE-2026-46473
Predictable Secret Generation in Authen::TOTP Perl Module
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Authen::TOTP versions before 0.1.1 for Perl is due to the use of Perl's built-in rand function to generate secrets for two-factor authentication (2FA).
The rand function is predictable and not suitable for security purposes, which means the generated secrets can be guessed or reproduced by attackers.
This predictability weakens the security of the TOTP mechanism, potentially allowing attackers to bypass 2FA protections.
How can this vulnerability impact me? :
This vulnerability can impact you by making the secrets used in two-factor authentication (2FA) predictable and vulnerable to brute-force attacks.
If an attacker can predict or reproduce the secret, they can generate valid one-time passwords and potentially gain unauthorized access to accounts or systems protected by the vulnerable Authen::TOTP module.
This compromises the security of 2FA, reducing its effectiveness as a protective measure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to the use of the Authen::TOTP Perl module versions before 0.1.1, which generate secrets using the insecure Perl rand function. Detection involves identifying if your system or applications are using Authen::TOTP versions prior to 0.1.1.
You can check the installed version of the Authen::TOTP Perl module by running the following command in your terminal:
- perl -MAuthen::TOTP -e 'print $Authen::TOTP::VERSION . "\n";'
If the version is older than 0.1.1, your system is vulnerable. Additionally, you can search your codebase for usage of Authen::TOTP and check if it relies on the gen_secret method that uses rand.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Authen::TOTP Perl module to version 0.1.1 or later, where the insecure rand function has been replaced with a cryptographically secure random string generator.
This update ensures that TOTP secrets are generated securely, reducing the risk of predictable secrets and brute-force attacks.
If upgrading is not immediately possible, consider reviewing and replacing any custom secret generation code that uses Perl's rand function with a cryptographically secure alternative.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Authen::TOTP versions before 0.1.1 involves the use of a predictable random number generator for generating secrets used in two-factor authentication (2FA). This predictability can lead to weaker security controls around authentication mechanisms.
Since many common standards and regulations such as GDPR and HIPAA require strong security measures to protect sensitive data and ensure secure authentication, the use of predictable secrets could potentially lead to non-compliance. Weak 2FA secrets increase the risk of unauthorized access, which may result in breaches of personal or protected health information.
By fixing the vulnerability and using cryptographically secure random number generation, the module improves its security posture, helping organizations maintain compliance with these standards by ensuring stronger authentication security.