CVE-2025-40931: CWE-340 Generation of Predictable Numbers or Identifiers in CHORNY Apache::Session::Generate::MD5
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.
AI Analysis
Technical Summary
Apache::Session::Generate::MD5 versions through 1.94 generate session IDs insecurely by using MD5 hashing seeded with the built-in non-cryptographic rand() function, epoch time, and PID. The PID is drawn from a limited range, and the epoch time can be guessed or leaked, making session IDs predictable. This vulnerability (CVE-2025-40931) is classified under CWE-340 (Generation of Predictable Numbers or Identifiers) and CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator). Predictable session IDs can lead to session hijacking or unauthorized access. Some Linux distributions have mitigated this by patching the module to use Crypt::URandom instead. No official patch or remediation from the original vendor is documented.
Potential Impact
The vulnerability allows attackers to predict session IDs due to weak randomness in their generation. This can lead to unauthorized access to user sessions, compromising confidentiality and integrity of affected systems. The CVSS score of 9.1 reflects a critical impact with network attack vector, no privileges required, no user interaction, and high confidentiality and integrity impact. Availability is not affected. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
No official patch or vendor advisory is available for Apache::Session::Generate::MD5. Users should consider replacing the default session ID generator with a cryptographically secure alternative such as Crypt::URandom, as done in some Debian-based Linux distributions. Until an official fix is released, avoid using Apache::Session::Generate::MD5 for session ID generation in security-sensitive environments.
CVE-2025-40931: CWE-340 Generation of Predictable Numbers or Identifiers in CHORNY Apache::Session::Generate::MD5
Description
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache::Session::Generate::MD5 versions through 1.94 generate session IDs insecurely by using MD5 hashing seeded with the built-in non-cryptographic rand() function, epoch time, and PID. The PID is drawn from a limited range, and the epoch time can be guessed or leaked, making session IDs predictable. This vulnerability (CVE-2025-40931) is classified under CWE-340 (Generation of Predictable Numbers or Identifiers) and CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator). Predictable session IDs can lead to session hijacking or unauthorized access. Some Linux distributions have mitigated this by patching the module to use Crypt::URandom instead. No official patch or remediation from the original vendor is documented.
Potential Impact
The vulnerability allows attackers to predict session IDs due to weak randomness in their generation. This can lead to unauthorized access to user sessions, compromising confidentiality and integrity of affected systems. The CVSS score of 9.1 reflects a critical impact with network attack vector, no privileges required, no user interaction, and high confidentiality and integrity impact. Availability is not affected. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
No official patch or vendor advisory is available for Apache::Session::Generate::MD5. Users should consider replacing the default session ID generator with a cryptographically secure alternative such as Crypt::URandom, as done in some Debian-based Linux distributions. Until an official fix is released, avoid using Apache::Session::Generate::MD5 for session ID generation in security-sensitive environments.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2025-04-16T09:05:34.363Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69a8e7f5d1a09e29cba26c30
Added to database: 3/5/2026, 2:18:29 AM
Last enriched: 4/13/2026, 11:17:38 AM
Last updated: 4/19/2026, 10:57:33 AM
Views: 163
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.