CVE-2025-40926: CWE-340 Generation of Predictable Numbers or Identifiers in KAZEBURO Plack::Middleware::Session::Simple
CVE-2025-40926 is a critical vulnerability in Plack::Middleware::Session::Simple versions before 0. 05 for Perl, where session IDs are generated using a predictable method. The default session ID generator uses a SHA-1 hash seeded with the built-in rand function, epoch time, and process ID (PID). Since the PID is from a small set of numbers and the epoch time can be guessed or leaked, the session IDs are predictable. This weakness can allow attackers to guess valid session IDs and potentially gain unauthorized access. The vulnerability has a CVSS score of 9. 8, indicating a critical severity level. No patch or official fix information is provided in the available data.
AI Analysis
Technical Summary
Plack::Middleware::Session::Simple versions prior to 0.05 generate session identifiers insecurely by hashing a combination of the built-in rand function, epoch time, and PID using SHA-1. The built-in rand function is not cryptographically secure, and the PID and epoch time values are predictable or guessable, leading to predictable session IDs. This vulnerability (CVE-2025-40926) is classified under CWE-340 (Generation of Predictable Numbers or Identifiers) and CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator). Predictable session IDs can allow attackers to hijack sessions and gain unauthorized access. The vulnerability is related to a similar issue in Plack::Middleware::Session (CVE-2025-40923).
Potential Impact
The vulnerability allows attackers to predict session IDs due to weak randomness in their generation. This can lead to session hijacking, unauthorized access, and potentially full compromise of affected systems using Plack::Middleware::Session::Simple versions before 0.05. The CVSS score of 9.8 reflects high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using affected versions of Plack::Middleware::Session::Simple or implement alternative secure session ID generation methods that use cryptographically secure random number generators. Monitoring vendor channels for updates is recommended.
CVE-2025-40926: CWE-340 Generation of Predictable Numbers or Identifiers in KAZEBURO Plack::Middleware::Session::Simple
Description
CVE-2025-40926 is a critical vulnerability in Plack::Middleware::Session::Simple versions before 0. 05 for Perl, where session IDs are generated using a predictable method. The default session ID generator uses a SHA-1 hash seeded with the built-in rand function, epoch time, and process ID (PID). Since the PID is from a small set of numbers and the epoch time can be guessed or leaked, the session IDs are predictable. This weakness can allow attackers to guess valid session IDs and potentially gain unauthorized access. The vulnerability has a CVSS score of 9. 8, indicating a critical severity level. No patch or official fix information is provided in the available data.
CVSS v3.1
Score 9.8critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Plack::Middleware::Session::Simple versions prior to 0.05 generate session identifiers insecurely by hashing a combination of the built-in rand function, epoch time, and PID using SHA-1. The built-in rand function is not cryptographically secure, and the PID and epoch time values are predictable or guessable, leading to predictable session IDs. This vulnerability (CVE-2025-40926) is classified under CWE-340 (Generation of Predictable Numbers or Identifiers) and CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator). Predictable session IDs can allow attackers to hijack sessions and gain unauthorized access. The vulnerability is related to a similar issue in Plack::Middleware::Session (CVE-2025-40923).
Potential Impact
The vulnerability allows attackers to predict session IDs due to weak randomness in their generation. This can lead to session hijacking, unauthorized access, and potentially full compromise of affected systems using Plack::Middleware::Session::Simple versions before 0.05. The CVSS score of 9.8 reflects high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using affected versions of Plack::Middleware::Session::Simple or implement alternative secure session ID generation methods that use cryptographically secure random number generators. Monitoring vendor channels for updates is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2025-04-16T09:05:34.362Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69a8e7f5d1a09e29cba26c29
Added to database: 3/5/2026, 2:18:29 AM
Last enriched: 4/28/2026, 6:09:33 AM
Last updated: 6/3/2026, 10:22:09 AM
Views: 93
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.