CVE-2024-58040: Crypt::RandomEncryption for Perl uses insecure rand() function during encryption

CVE-2024-58040: Crypt::RandomEncryption for Perl uses insecure rand() function during encryption Timothy Legge 29 Sep 2025 23:57 UTC

========================================================================
CVE-2024-58040                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2024-58040
   Distribution:  Crypt-RandomEncryption
       Versions:  from 0.01 through *

       MetaCPAN:  https://metacpan.org/dist/Crypt-RandomEncryption

Crypt::RandomEncryption for Perl uses insecure rand() function during
encryption

Description
-----------
Crypt::RandomEncryption for Perl version 0.01 uses insecure rand()
function during encryption.

Problem types
-------------
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
(PRNG)
CWE-331 Insufficient Entropy

References
----------
https://metacpan.org/release/QWER/Crypt-RandomEncryption-0.01/source/lib/Crypt/RandomEncryption.pm#L33
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://perldoc.perl.org/functions/rand

Credits
-------
Robert Rothenberg, finder