CVE-2025-27551 identifies a cryptographic weakness in the WREIS DBIx::Class::EncodedColumn Perl module, specifically in versions up to 0.00032. The vulnerability arises from the use of the standard rand() function to generate salts for password hashing. The rand() function is a general-purpose pseudo-random number generator (PRNG) that is not designed to be cryptographically secure. Consequently, salts generated using rand() can be predictable or reproducible by attackers, undermining the effectiveness of password hashing. This weakness is located in the program file lib/DBIx/Class/EncodedColumn/Digest.pm. Salts are critical in password hashing to ensure that identical passwords produce different hashes and to defend against precomputed hash attacks such as rainbow tables. Using a weak PRNG for salt generation compromises this defense, potentially allowing attackers to more easily reverse or guess password hashes. The vulnerability is classified under CWE-338 (Use of Cryptographically Weak PRNG), CWE-916 (Use of Password-Based Cryptography), and CWE-331 (Insufficient Entropy). The CVSS v3.1 score is 4.0 (medium severity), reflecting that exploitation requires local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality loss, with no integrity or availability impact. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that remediation may require updating the module to a version that replaces rand() with a cryptographically secure random number generator (CSPRNG).

For European organizations using the DBIx::Class::EncodedColumn module in their Perl-based applications, this vulnerability poses a risk to the confidentiality of user credentials. If an attacker gains local access to the system or can execute code within the application environment, they may predict or reproduce salts used in password hashes, facilitating offline password cracking attacks. This could lead to unauthorized access to user accounts and potentially escalate to further compromise depending on the application context. Although the vulnerability does not directly affect system integrity or availability, the exposure of credentials can have significant reputational and regulatory consequences, especially under GDPR requirements for protecting personal data. Organizations in sectors with high security demands, such as finance, healthcare, and government, may face increased risk if this module is part of their authentication infrastructure. The medium severity rating suggests that while the threat is not critical, it should be addressed promptly to prevent exploitation.

European organizations should audit their use of the DBIx::Class::EncodedColumn module to determine if affected versions (up to 0.00032) are in use. Immediate mitigation steps include: 1) Upgrading to a patched or newer version of the module that uses a cryptographically secure random number generator (such as those provided by Crypt::Random or similar Perl modules) for salt generation. 2) If no patch is available, modifying the source code to replace rand() calls with a CSPRNG-based function for salt creation. 3) Conducting a password reset campaign for users if there is suspicion of credential compromise. 4) Enhancing monitoring for unusual authentication attempts or local access that might indicate exploitation attempts. 5) Reviewing overall password hashing mechanisms to ensure use of strong algorithms (e.g., bcrypt, Argon2) combined with secure salts. 6) Implementing strict access controls to limit local access to systems running vulnerable software. These steps go beyond generic advice by focusing on the specific weakness in salt generation and emphasizing code-level remediation and operational controls.