Insecure Session ID Generation in Plack-Middleware-Session for Perl
CVE-2025-40923

7.3HIGH

Key Information:

Vendor: Miyagawa
Status: Plack::middleware::session
Vendor: CVE Published:; 16 July 2025

What is CVE-2025-40923?

The Plack-Middleware-Session prior to version 0.35 for Perl suffers from insecure session ID generation. The default generator produces session IDs using a SHA-1 hash combined with a random seed from a built-in function that is not cryptographically secure. This approach, utilizing the process ID and epoch time, can lead to predictability, allowing potential attackers to exploit the system by guessing valid session IDs. If attackers successfully predict these session IDs, they can potentially hijack user sessions, gaining unauthorized access to sensitive data and functionality within applications.

Affected Version(s)

Plack::Middleware::Session 0.01 < 0.35

References

https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Se...

https://github.com/plack/Plack-Middleware-Session/pull/52

https://github.com/plack/Plack-Middleware-Session/commit/...

patch

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 16, 2025
Vulnerability Reserved
Apr 16, 2025

Miyagawa

What is CVE-2025-40923?

Affected Version(s)

References

CVSS V3.1

Timeline