CVE-2025-40923

Name of the Vulnerable Software and Affected Versions Plack-Middleware-Session versions prior to 0.35

Description The default session ID generator in Plack-Middleware-Session for Perl uses a SHA-1 hash seeded with the built-in rand function, the epoch time, and the process ID (PID). The PID originates from a limited set of numbers, and the epoch time may be predictable. The rand function is not suitable for cryptographic purposes. Predictable session IDs could allow an attacker to gain unauthorized access to systems.

Recommendations Update Plack-Middleware-Session to version 0.35 or later.