CVE-2025-27552 is a medium-severity vulnerability affecting the WREIS project’s DBIx::Class::EncodedColumn module, specifically versions up to 0.00032. The vulnerability arises from the use of the standard rand() function to generate salts for password hashing. The rand() function is a pseudo-random number generator (PRNG) that is not cryptographically secure, meaning its output can be predicted or reproduced by attackers with sufficient knowledge or access. The affected code involves the Crypt/Eksblowfish/Bcrypt.pm file, which is responsible for implementing bcrypt password hashing. Since bcrypt relies on a salt to ensure that identical passwords produce different hashes, using a weak PRNG for salt generation undermines the security of the password hashes. An attacker could potentially predict or reproduce the salt values, facilitating offline brute-force or dictionary attacks against stored password hashes. The vulnerability is classified under CWE-338 (Use of Cryptographically Weak PRNG), CWE-916 (Use of Password-Based Cryptography with Insufficient Iterations), and CWE-331 (Insufficient Entropy). The CVSS v3.1 base score is 4.0, indicating a medium severity, with the vector AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack requires local access but no privileges or user interaction, and impacts confidentiality only. No known exploits are reported in the wild as of the publication date (March 26, 2025). This vulnerability primarily threatens the confidentiality of password data by weakening the salt randomness, potentially enabling attackers to recover user credentials more easily if they gain access to hashed password databases.

For European organizations using DBIx::Class::EncodedColumn versions up to 0.00032, this vulnerability could lead to increased risk of credential compromise if attackers gain local access to systems or databases containing password hashes. Although exploitation requires local access, the weak salt generation reduces the effectiveness of password hashing, making offline attacks more feasible once hashes are obtained. This could lead to unauthorized access to sensitive systems, data breaches, and potential lateral movement within networks. Sectors with high-value or sensitive data, such as finance, healthcare, and government institutions, could face reputational damage, regulatory penalties under GDPR, and operational disruptions. The impact is mitigated by the requirement for local access and the absence of known remote exploits, but organizations relying on this module for authentication should consider the risk significant enough to warrant prompt remediation.

Organizations should immediately audit their use of DBIx::Class::EncodedColumn and identify any deployments using versions up to 0.00032. They should upgrade to a patched version that replaces the insecure rand() function with a cryptographically secure PRNG, such as those provided by the Crypt::PRNG or similar secure modules. If an upgrade is not immediately possible, organizations should consider implementing additional layers of security, such as multi-factor authentication, to reduce the risk of credential compromise. Additionally, password hashes generated with weak salts should be rehashed with secure salts after patching. Access controls should be strengthened to limit local access to systems storing password hashes. Regular security audits and monitoring for unusual access patterns can help detect potential exploitation attempts. Finally, developers should review cryptographic implementations to ensure adherence to best practices for entropy and randomness.