========================================================================
CVE-2026-5087                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-5087
   Distribution:  PAGI-Middleware-Session-Store-Cookie
       Versions:  through 0.001003

       MetaCPAN:
https://metacpan.org/dist/PAGI-Middleware-Session-Store-Cookie
       VCS Repo:
https://github.com/jjn1056/PAGI-Middleware-Session-Store-Cookie

PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for
Perl generates random bytes insecurely

Description
-----------
PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for
Perl generates random bytes insecurely.

PAGI::Middleware::Session::Store::Cookie attempts to read bytes from
the /dev/urandom device directly. If that fails (for example, on
systems without the device, such as Windows), then it will emit a
warning that recommends the user install Crypt::URandom, and then
return a string of random bytes generated by the built-in rand
function, which is unsuitable for cryptographic applications.

This modules does not use the Crypt::URandom module, and installing it
will not fix the problem.

The random bytes are used for generating an initialisation vector (IV)
to encrypt the cookie.

A predictable IV may make it easier for malicious users to decrypt and
tamper with the session data that is stored in the cookie.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
- CWE-1204 Generation of Weak Initialization Vector (IV)

Solutions
---------
Upgrade to version 0.001004 or newer.

References
----------
https://metacpan.org/release/JJNAPIORK/PAGI-Middleware-Session-Store-Cookie-0.001003/source/lib/PAGI/Middleware/Session/Store/Cookie.pm#L156-173
https://metacpan.org/release/JJNAPIORK/PAGI-Middleware-Session-Store-Cookie-0.001004/changes