CVE-2025-40926

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Plack::Middleware::Session::Simple versions through 0.04

Description The software generates session IDs insecurely. The default session ID generator uses a SHA-1 hash seeded with the built-in rand function, the epoch time, and the process ID (PID). The PID comes from a limited set of numbers, and the epoch time may be predictable. The rand function is not suitable for cryptographic purposes. Predictable session IDs could allow an attacker to gain access to systems. This issue is similar to a security issue in Plack::Middleware::Session.

Recommendations Update Plack::Middleware::Session::Simple to a version later than 0.04.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-340CWE-338

Related Identifiers

CVE-2025-40926

Affected Products

Plack::Middleware::Session::Simple

CVE-2025-40926

Weakness Enumeration

Related Identifiers

Affected Products

References · 12