CVE-2024-58041: Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions

CVE-2024-58041: Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions Timothy Legge 23 Feb 2026 23:56 UTC


========================================================================
CVE-2024-58041                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2024-58041
   Distribution:  Smolder
       Versions:  through 1.51

       MetaCPAN:  https://metacpan.org/dist/Smolder

Smolder versions through 1.51 for Perl uses insecure rand() function
for cryptographic functions

Description
-----------
Smolder versions through 1.51 for Perl uses insecure rand() function
for cryptographic functions.

Smolder 1.51 and earlier for Perl uses the rand() function as the
default source of entropy, which is not cryptographically secure, for
cryptographic functions.

Specifically Smolder::DB::Developer uses the Data::Random library which
specifically states that it is "Useful mostly for test programs".
Data::Random uses the rand() function.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG)

References
----------
https://perldoc.perl.org/functions/rand
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537
https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L5
https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L221

Credits
-------
Robert Rothenberg (RRWO), finder