CVE-2025-22376

Name of the Vulnerable Software and Affected Versions Net::OAuth versions prior to 0.29

Description The default nonce in Net::OAuth::Client is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong. This weakness can be exploited due to the use of a non-cryptographically secure pseudo-random number generator.

Recommendations For versions prior to 0.29, consider using a cryptographically secure pseudo-random number generator to generate nonces, or update to a version that uses a secure method for generating nonces. As a temporary workaround, consider disabling the use of the default nonce generation until a patch is available. Restrict access to the Net::OAuth::Client module to minimize the risk of exploitation. Avoid using the rand() function for generating nonces in the affected API endpoints until the issue is resolved.