CVE-2025-27552: DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting password hashes in Crypt/Eksblowfish/Bcrypt.pm
Stig Palmquist 26 Mar 2025 11:16 UTC
========================================================================
CVE-2025-27552 CPAN Security Group
========================================================================
CVE ID: CVE-2025-27552
Distribution: DBIx::Class::EncodedColumn
Versions: before 0.00032
MetaCPAN: https://metacpan.org/dist/DBIx-Class-EncodedColumn
VCS Repo: https://github.com/wreis/DBIx-Class-EncodedColumn
DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand()
function for salting password hashes in Crypt/Eksblowfish/Bcrypt.pm
Description
-----------
DBIx::Class::EncodedColumn use the rand() function, which is not
cryptographically secure to salt password hashes.
This vulnerability is associated with program files
Crypt/Eksblowfish/Bcrypt.pm.
This issue affects DBIx::Class::EncodedColumn until 0.00032.
Problem types
-------------
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
(PRNG)
References
----------
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://metacpan.org/release/WREIS/DBIx-Class-EncodedColumn-0.00032/changes
Credits
-------
Robert Rothenberg, finder
