CVE-2025-40925: Starch versions 0.14 and earlier generate session ids insecurely

CVE-2025-40925: Starch versions 0.14 and earlier generate session ids insecurely Timothy Legge 20 Sep 2025 12:33 UTC

========================================================================
CVE-2025-40925                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-40925
   Distribution:  Starch
       Versions:  from 0.01 through 0.14

       MetaCPAN:  https://metacpan.org/dist/Starch
       VCS Repo:  https://github.com/bluefeet/Starch

Starch versions 0.14 and earlier generate session ids insecurely

Description
-----------
Starch versions 0.14 and earlier generate session ids insecurely.

The default session id generator returns a SHA-1 hash seeded with a
counter, the epoch time, the built-in rand function, the PID, and
internal Perl reference addresses. The PID will come from a small set
of numbers, and the epoch time may be guessed, if it is not leaked from
the HTTP Date header. The built-in rand function is unsuitable for
cryptographic usage.

Predicable session ids could allow an attacker to gain access to
systems.

Problem types
-------------
- CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
(PRNG)

References
----------
https://github.com/bluefeet/Starch/pull/5
https://github.com/bluefeet/Starch/commit/5573449e64e0660f7ee209d1eab5881d4ccbee3b.patch
https://metacpan.org/dist/Starch/source/lib/Starch/Manager.pm