Session ID Generation Flaw in Catalyst Plugin for Perl
CVE-2025-40924

Currently unrated

Key Information:

Vendor: Haarg
Status: Catalyst::plugin::session
Vendor: CVE Published:; 17 July 2025

What is CVE-2025-40924?

The Catalyst::Plugin::Session for Perl before version 0.44 generates session IDs using a combination of low-entropy data sources including counters, epoch time, and the built-in random function. This method results in predictable session IDs, risking unauthorized access by potential attackers. The entropy of the session ID generation process is notably weak, as it relies on information such as process identifier (PID) and epoch time, which may be easily guessed or derived. Consequently, this vulnerability highlights the necessity for a more robust, cryptographically secure method for generating session identifiers to ensure data protection and prevent session hijacking.

Affected Version(s)

Catalyst::Plugin::Session 0.01 < 0.44

References

https://metacpan.org/release/HAARG/Catalyst-Plugin-Sessio...

https://github.com/perl-catalyst/Catalyst-Plugin-Session/...

issue-tracking

https://github.com/perl-catalyst/Catalyst-Plugin-Session/...

patch

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 17, 2025
Vulnerability Reserved
Apr 16, 2025

Haarg

What is CVE-2025-40924?

Affected Version(s)

References

Timeline