CVE-2017-20240: Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks
Robert Rothenberg 12 Jun 2026 13:23 UTC
========================================================================
CVE-2017-20240 CPAN Security Group
========================================================================
CVE ID: CVE-2017-20240
Distribution: Crypt-PBKDF2
Versions: before 0.261630
MetaCPAN: https://metacpan.org/dist/Crypt-PBKDF2
VCS Repo: https://github.com/arodland/Crypt-PBKDF2
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to
timing attacks
Description
-----------
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to
timing attacks.
These versions use Perl's built-in eq comparison. Discrepancies in
timing could be used to guess the underlying derived-key.
Problem types
-------------
- CWE-208 Observable Timing Discrepancy
Workarounds
-----------
Apply the patch from the referenced pull request.
Solutions
---------
Upgrade to version 0.261630 or later.
References
----------
https://github.com/arodland/Crypt-PBKDF2/pull/6
https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.161520/source/lib/Crypt/PBKDF2.pm#L123-148
https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes
Timeline
--------
- 2017-12-11: Issue reported as pull request
- 2026-06-11: Version 0.261630 released with a fix
