CVE-2025-40932: Apache::SessionX versions through 2.01 for Perl create insecure session id

CVE-2025-40932: Apache::SessionX versions through 2.01 for Perl create insecure session id Timothy Legge 26 Feb 2026 23:34 UTC

========================================================================
CVE-2025-40932                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-40932
   Distribution:  Apache-SessionX
       Versions:  through 2.01

       MetaCPAN:  https://metacpan.org/dist/Apache-SessionX

Apache::SessionX versions through 2.01 for Perl create insecure session
id

Description
-----------
Apache::SessionX versions through 2.01 for Perl create insecure session
id.

Apache::SessionX generates session ids insecurely. The default session
id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash
seeded with the built-in rand() function, the epoch time, and the PID.
The PID will come from a small set of numbers, and the epoch time may
be guessed, if it is not leaked from the HTTP Date header. The built-in
rand function is unsuitable for cryptographic usage. Predicable session
ids could allow an attacker to gain access to systems.

Problem types
-------------
- CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

Solutions
---------
Consider alternate solutions like
https://metacpan.org/pod/Apache::SessionX::Generate::Random

References
----------
https://metacpan.org/release/GRICHTER/Apache-SessionX-2.01/source/SessionX/Generate/MD5.pm#L29

Credits
-------
Robert Rothenberg, finder