Weak Random Number Generation in Mojolicious Plugin for Perl
CVE-2025-40916

9.1CRITICAL

Key Information:

Vendor: Gryphon
Status: Mojolicious::plugin::captchapng
Vendor: CVE Published:; 16 June 2025

What is CVE-2025-40916?

The Mojolicious::Plugin::CaptchaPNG version 1.05 for Perl suffers from a vulnerability due to its reliance on the built-in rand() function for generating both captcha text and image noise. This method of random number generation is weak and can lead to predictability, making it easier for attackers to bypass captchas and exploit the system's integrity. It's crucial for developers to upgrade to a more secure version or utilize a stronger random number generation approach to mitigate this security risk.

Affected Version(s)

Mojolicious::Plugin::CaptchaPNG 1.05

References

https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-C...

https://metacpan.org/pod/perlfunc#rand

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2025
Vulnerability Reserved
Apr 16, 2025

Gryphon

What is CVE-2025-40916?

Affected Version(s)

References

CVSS V3.1

Timeline