========================================================================
CVE-2026-5082                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-5082
   Distribution:  Amon2-Plugin-Web-CSRFDefender
       Versions:  from 7.00 through 7.03

       MetaCPAN: https://metacpan.org/dist/Amon2-Plugin-Web-CSRFDefender
       VCS Repo: https://github.com/tokuhirom/Amon2-Plugin-Web-CSRFDefender

Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for
Perl generate an insecure session id

Description
-----------
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for
Perl generate an insecure session id.

The generate_session_id function will attempt to read bytes from the
/dev/urandom device, but if that is unavailable then it generates bytes
using SHA-1 hash seeded with the built-in rand() function, the PID, and
the high resolution epoch time.  The PID will come from a small set of
numbers, and the epoch time may be guessed, if it is not leaked from
the HTTP Date header. The built-in rand function is unsuitable for
cryptographic usage.

Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of
Amon2, which was vulnerable to insecure session ids due to
CVE-2025-15604.

Note that the author has deprecated this module.

Problem types
-------------
- CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

Solutions
---------
Upgrade to Amon2::Plugin::Web::CSRFDefender version 7.04 or later.

References
----------
https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.03/source/lib/Amon2/Plugin/Web/CSRFDefender/Random.pm
https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.04/changes
https://www.cve.org/CVERecord?id=CVE-2025-15604