CVE-2026-3255: HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function

CVE-2026-3255: HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function Robert Rothenberg 27 Feb 2026 20:18 UTC

========================================================================
CVE-2026-3255                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-3255
   Distribution:  HTTP-Session2
       Versions:  before 1.12

       MetaCPAN:  https://metacpan.org/dist/HTTP-Session2
       VCS Repo:  https://github.com/tokuhirom/HTTP-Session2

HTTP::Session2 versions before 1.12 for Perl may generate weak session
ids using the rand() function

Description
-----------
HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak
session ids using the rand() function.

The HTTP::Session2 session id generator returns a SHA-1 hash seeded
with the built-in rand function, the epoch time, and the PID. The PID
will come from a small set of numbers, and the epoch time may be
guessed, if it is not leaked from the HTTP Date header. The built-in
rand() function is unsuitable for cryptographic usage.

HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom
device to generate a session id, but if the device is unavailable (for
example, under Windows), then it will revert to the insecure method
described above.

Problem types
-------------
- CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

Workarounds
-----------
Upgrade to version 1.12 or later.

Solutions
---------
HTTP::Session2 has been deprecated since version 1.11. Migrate to a
different solution.

References
----------
https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Session2/Random.pm#L35
https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Session2/ServerStore.pm#L68
https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes
https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch

Timeline
--------
- 2014-07-31: version 1.02 HTTP::Session2 released that attempts to use
   /dev/urandom.
- 2026-02-24: version 1.11 HTTP::Session2 deprecated
- 2026-02-26: version 1.12 HTTP::Session2 released with a fix with a
   portable solution.