CVE-2025-40931

critical

Apache

CVSS v3 Base Score

9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Published: March 5, 2026

Last Modified: March 9, 2026

Vendor: Apache

Source: NVD

Description

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

CWE

CWE-338

Affected Products

chorny apache\

References

🔗 github.com 🔗 metacpan.org 🔗 rt.cpan.org 🔗 security.metacpan.org 🔗 www.openwall.com

CVE-2025-40931

Vulnerability Report

Description

CWE

Affected Products

References