CVE-2025-40933: Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely

CVE-2025-40933: Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely Robert Rothenberg 17 Sep 2025 14:33 UTC

========================================================================
CVE-2025-40933                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-40933
   Distribution:  Apache-AuthAny
       Versions:  from 0.19 through 0.201

       MetaCPAN:  https://metacpan.org/dist/Apache-AuthAny

Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session
ids insecurely

Description
-----------
Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session
ids insecurely.

Session ids are generated using an MD5 hash of the epoch time and a
call to the built-in rand function. The epoch time may be guessed, if
it is not leaked from the HTTP Date header. The built-in rand function
is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to
systems.

Problem types
-------------
- CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

References
----------
https://metacpan.org/release/KGOLDOV/Apache2-AuthAny-0.201/source/lib/Apache2/AuthAny/Cookie.pm