CVE-2025-15604

Name of the Vulnerable Software and Affected Versions Amon2 versions prior to 6.17

Description Amon2 for Perl utilizes an insecure random string implementation in its security functions. Versions 6.06 through 6.16 attempt to use /dev/urandom, but fall back to a SHA-1 hash seeded with the built-in rand() function, the process ID (PID), and the epoch time if /dev/urandom is unavailable. The rand() function is not suitable for cryptographic purposes. Prior to version 6.06, no fallback mechanism existed when /dev/urandom was unavailable. Before version 6.04, the random string function directly used the rand() function to generate alphanumeric strings. This function is used for generating session IDs, secrets for signing or encrypting cookie session data, and tokens for Cross Site Request Forgery (CSRF) protection.

Recommendations Update to Amon2 version 6.17 or later. Versions 6.06 through 6.16 should be updated to a version greater than 6.17. Versions prior to 6.06 should be updated to a version greater than 6.17. Versions prior to 6.04 should be updated to a version greater than 6.17.