CVE-2025-40932

Name of the Vulnerable Software and Affected Versions Apache::SessionX versions through 2.01

Description Apache::SessionX generates session IDs insecurely. The default session ID generator returns an MD5 hash seeded with the built-in rand() function, the epoch time, and the process ID (PID). The PID comes from a limited set of numbers, and the epoch time may be predictable if not leaked from the HTTP Date header. The rand() function is not suitable for cryptographic purposes. Predictable session IDs could allow an attacker to gain unauthorized access to systems.

Recommendations Update Apache::SessionX to a version later than 2.01.