Insecure Session ID Generation in Apache::Session::Generate::MD5 for Perl
CVE-2025-40931

9.1CRITICAL

Key Information:

Vendor: Chorny
Status: Apache::session::generate::md5
Vendor: CVE Published:; 5 March 2026

What is CVE-2025-40931?

The Apache::Session::Generate::MD5 module in Perl creates session IDs that are predictable due to the use of the built-in rand() function along with a combination of the epoch time and process ID. The limited range of potential process IDs and the potential for an attacker to guess the epoch time, especially if exposed in the HTTP headers, weakens session security. This can result in compromised session integrity, allowing unauthorized access to sensitive systems.

Affected Version(s)

Apache::Session::Generate::MD5 0 <= 1.94

References

https://metacpan.org/dist/Apache-Session/source/lib/Apach...

https://security.metacpan.org/docs/guides/random-data-for...

technical-description

https://github.com/chorny/Apache-Session/issues/4

issue-tracking

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

Robert Rothenberg

CVE-2025-40931 Data

JSON

Chorny

What is CVE-2025-40931?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit