CVE-2025-40915: Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens

CVE-2025-40915: Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens Robert Rothenberg 11 Jun 2025 17:24 UTC

========================================================================
CVE-2025-40915                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-40915
   Distribution:  Mojolicious-Plugin-CSRF
       Versions:  1.03

       MetaCPAN:  https://metacpan.org/dist/Mojolicious-Plugin-CSRF
       VCS Repo:  https://github.com/gryphonshafer/Mojo-Plugin-CSRF

Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number
source for generating CSRF tokens

Description
-----------
Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number
source for generating CSRF tokens.

That version of the module generates tokens as an MD5 of the process
id, the current time, and a single call to the built-in rand()
function.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

Impacts
-------
- CAPEC-62: Cross Site Request Forgery

Solutions
---------
Users of version 1.03 should upgrade to 1.04.

References
----------
https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03
https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes