CVE-2025-15578: Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely

CVE-2025-15578: Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely Timothy Legge 16 Feb 2026 21:19 UTC

========================================================================
CVE-2025-15578                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-15578
   Distribution:  Maypole
       Versions:  from 2.10 through 2.13

       MetaCPAN:  https://metacpan.org/dist/Maypole

Maypole versions from 2.10 through 2.13 for Perl generates session ids
insecurely

Description
-----------
Maypole versions from 2.10 through 2.13 for Perl generates session ids
insecurely. The session id is seeded with the system time (which is
available from HTTP response headers), a call to the built-in rand()
function, and the PID.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG)

References
----------
https://metacpan.org/dist/Maypole/source/lib/Maypole/Session.pm#L43

Credits
-------
Robert Rothenberg, finder