Weak Token Generation in Mojolicious Plugin for Perl
CVE-2025-40915

7HIGH

Key Information:

Vendor: Gryphon
Status: Mojolicious::plugin::csrf
Vendor: CVE Published:; 11 June 2025

What is CVE-2025-40915?

Mojolicious::Plugin::CSRF version 1.03 for Perl is susceptible to a security issue due to its reliance on a weak random number generator when creating Cross-Site Request Forgery (CSRF) tokens. The identified method uses a combination of the process ID, the current time, and the built-in rand() function, resulting in predictable token generation. This flaw could allow attackers to exploit CSRF vulnerabilities effectively, compromising the integrity and security of web applications utilizing this plugin. It is advisable for users to upgrade to the latest version to mitigate risks associated with this vulnerability.

Affected Version(s)

Mojolicious::Plugin::CSRF 1.03

References

https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-C...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2025
Vulnerability Reserved
Apr 16, 2025

Gryphon

What is CVE-2025-40915?

Affected Version(s)

References

CVSS V3.1

Timeline