CVE-2024-58041 is a vulnerability in the Perl-based WONKO Smolder software (versions through 1.51) caused by the use of the insecure rand() function as the default entropy source for cryptographic operations. The rand() function in Perl is not designed to be cryptographically secure and can produce predictable outputs, which is a critical weakness when used for generating cryptographic keys, tokens, or other security-sensitive values. The affected component, Smolder::DB::Developer, uses the Data::Random library, which explicitly states it is intended mainly for testing purposes and relies on rand(). This means that any cryptographic functions depending on this library or the rand() function may generate weak random values, potentially allowing attackers to predict or reproduce cryptographic secrets. Although no exploits have been reported in the wild, the vulnerability is significant because it compromises the fundamental security properties of cryptographic operations, including confidentiality and integrity. No patches or fixes have been published yet, and the vulnerability was reserved in March 2025 and published in February 2026. The lack of a CVSS score necessitates an independent severity assessment. The vulnerability affects all versions up to 1.51 of Smolder, a tool used in Perl environments, which may be deployed in various development and production contexts.

The primary impact of this vulnerability is the weakening of cryptographic security within applications using Smolder versions up to 1.51. Predictable random number generation can lead to compromised confidentiality, as attackers may be able to guess cryptographic keys, session tokens, or other sensitive values generated using the weak PRNG. This can result in unauthorized data access, impersonation, or bypass of security controls. Integrity may also be affected if cryptographic signatures or checksums rely on weak randomness. The availability impact is minimal directly but could arise indirectly if exploitation leads to system compromise or denial of service. Since the vulnerability does not require authentication or user interaction, exploitation could be automated and widespread in environments where Smolder is used. Organizations relying on Smolder for development or deployment of Perl applications may face increased risk of data breaches or security failures. The absence of known exploits suggests limited current active threat but does not diminish the potential risk if attackers develop exploit techniques.

To mitigate this vulnerability, organizations should immediately audit their use of Smolder and identify any cryptographic functions relying on the rand() function or the Data::Random library. Developers should replace all uses of rand() for cryptographic purposes with a cryptographically secure PRNG, such as those provided by Perl modules like Crypt::PRNG or Crypt::Random. It is critical to avoid libraries intended only for testing randomness in production cryptographic code. Until an official patch is released by WONKO, consider isolating or restricting the use of affected Smolder versions and applying compensating controls such as additional encryption layers or key management safeguards. Regularly monitor for updates or patches from the vendor and apply them promptly. Conduct security testing to verify that cryptographic operations produce sufficiently unpredictable outputs. Educate development teams on secure random number generation best practices and enforce code reviews to prevent recurrence of similar issues.