PT-2026-23118 · Unknown · Apache::Session::Generate::Md5

Robert Rothenberg

Published

2026-03-05

Updated

2026-05-15

CVE-2025-40931

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apache::Session::Generate::MD5 versions through 1.94

Description The software generates session IDs insecurely. The default session ID generator uses an MD5 hash seeded with the built-in rand() function, the epoch time, and the process ID (PID). The PID comes from a limited set of numbers, and the epoch time may be guessed. The rand() function is not suitable for cryptographic purposes. Predictable session IDs could allow an attacker to gain unauthorized access to systems.

Recommendations Update to a version of Apache::Session::Generate::MD5 later than 1.94.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-340CWE-338

Related Identifiers

CVE-2025-40931

Affected Products

Apache::Session::Generate::Md5

PT-2026-23118 · Unknown · Apache::Session::Generate::Md5

CVE-2025-40931

Weakness Enumeration

Related Identifiers

Affected Products

References · 24