CVE-2025-40923: CWE-340 Generation of Predictable Numbers or Identifiers in MIYAGAWA Plack::Middleware::Session
Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
CVE-2025-40923: CWE-340 Generation of Predictable Numbers or Identifiers in MIYAGAWA Plack::Middleware::Session
Description
Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- CPANSec
- Date Reserved
- 2025-04-16T09:05:34.362Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6877a61aa83201eaacdb3fdc
Added to database: 7/16/2025, 1:16:10 PM
Last updated: 7/16/2025, 1:16:10 PM
Views: 1
Related Threats
CVE-2025-34300: CWE-20 Improper Input Validation in Sawtooth Software Lighthouse Studio
CriticalCVE-2025-53758: CWE-312: Cleartext Storage of Sensitive Information in Digisol XPON ONU Wi-Fi Router (DG-GR6821AC)
MediumCVE-2025-53757: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Digisol XPON ONU Wi-Fi Router (DG-GR6821AC)
HighCVE-2025-52836: CWE-266 Incorrect Privilege Assignment in Unity Business Technology Pty Ltd The E-Commerce ERP
CriticalCVE-2025-52819: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in pakkemx Pakke Envíos
HighActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.