CVE-2026-3256

Name of the Vulnerable Software and Affected Versions HTTP::Session versions through 0.53

Description HTTP::Session for Perl, by default, uses insecurely generated session IDs. The software utilizes HTTP::Session::ID::SHA1 to create session IDs, employing a SHA-1 hash seeded with the built-in rand function, the epoch time, and the process ID (PID). The PID originates from a limited range of numbers, and the epoch time may be predictable. The rand function is not suitable for cryptographic purposes. The distribution also includes HTTP::Session::ID::MD5, which exhibits a similar flaw but uses the MD5 hash instead.

Recommendations Update to a version of HTTP::Session greater than 0.53.