CVE-2025-40919

Name of the Vulnerable Software and Affected Versions Authen::DigestMD5 versions 0.01 through 0.02

Description The cnonce (client nonce) is generated insecurely using an MD5 hash of the PID, the epoch time, and the built-in rand function. The PID originates from a limited set of numbers, and the epoch time may be predictable. The rand function is unsuitable for cryptographic purposes. RFC 2831 recommends that the cnonce contain at least 64 bits of entropy to avoid chosen plaintext attacks and provide mutual authentication.

Recommendations Authen::DigestMD5 version 0.01: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Authen::DigestMD5 version 0.02: At the moment, there is no information about a newer version that contains a fix for this vulnerability.