CVE-2025-1860: Data::Entropy for Perl uses insecure rand() function for cryptographic functions

CVE-2025-1860: Data::Entropy for Perl uses insecure rand() function for cryptographic functions Timothy Legge 28 Mar 2025 02:00 UTC

========================================================================
CVE-2025-1860                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-1860
   Distribution:  Data-Entropy
       Versions:  before 0.008

       MetaCPAN:  https://metacpan.org/dist/Data-Entropy

Data::Entropy for Perl uses insecure rand() function for cryptographic
functions

Description
-----------
Data::Entropy for Perl 0.007 and earlier use the rand() function as the
default source of entropy, which is not cryptographically secure, for
cryptographic functions.

Problem types
-------------
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
(PRNG)

Mitigations
-----------
Version 0.008 was released to address the issue and this module has
been marked as deprecated.  Users should upgrade and plan to migrate
to a different module.

References
----------
https://perldoc.perl.org/functions/rand
https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.pm#L80

Credits
-------
Robert Rothenberg (RRWO), finder