CVE-2024-58041 identifies a critical cryptographic vulnerability in the WONKO Smolder software for Perl, versions up to and including 1.51. The root cause is the use of the standard Perl rand() function as the entropy source for cryptographic operations, which is not designed to be cryptographically secure. The rand() function produces pseudo-random numbers that are predictable and insufficiently random for secure key generation, session tokens, or other cryptographic needs. The Smolder::DB::Developer module uses the Data::Random library, which explicitly states it is intended primarily for test programs and relies on rand(). This results in weak cryptographic primitives that can be exploited by attackers to predict or reproduce cryptographic values, potentially leading to unauthorized data disclosure or manipulation. The vulnerability is remotely exploitable without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact affects confidentiality and integrity but not availability. Although no exploits are currently known in the wild, the high CVSS score (9.1) reflects the critical risk posed by this weakness. The vulnerability was reserved in March 2025 and published in February 2026, with no patches currently linked, indicating that remediation may require code changes or configuration updates by users.

The use of a weak PRNG in cryptographic functions severely undermines the security guarantees of the Smolder software. Attackers can potentially predict or reproduce cryptographic keys, tokens, or other sensitive values generated by the software, leading to unauthorized access, data leakage, or data tampering. This compromises the confidentiality and integrity of systems relying on Smolder for secure operations. Since the vulnerability is remotely exploitable without authentication or user interaction, it poses a significant risk to exposed systems. Organizations using Smolder in development, testing, or production environments may face increased risk of compromise, especially if the software is used in security-sensitive contexts such as authentication, secure communications, or data protection. The lack of availability impact means systems remain operational but insecure. The absence of known exploits suggests the threat is currently theoretical but could be weaponized by attackers once understood.

To mitigate CVE-2024-58041, organizations should immediately audit their use of Smolder versions 1.51 and earlier and identify any cryptographic functions relying on the rand() function or the Data::Random library. Developers should replace the use of rand() with a cryptographically secure PRNG, such as those provided by the Crypt::PRNG or Crypt::Random Perl modules, or system-level secure random sources like /dev/urandom or CryptGenRandom on Windows. If possible, upgrade to a newer version of Smolder that addresses this issue once available. In the absence of an official patch, consider patching the source code to remove dependencies on Data::Random for cryptographic purposes. Additionally, review all cryptographic keys, tokens, and secrets generated by affected systems and rotate them to prevent exploitation of previously generated weak values. Implement monitoring for unusual access patterns or cryptographic failures that may indicate exploitation attempts. Finally, educate development teams about the importance of using secure random number generators in cryptographic contexts to prevent similar issues.