CVE-2025-40920HIGH 8.6EPSS p30.4%

CVE-2025-40920CVE-2025-40920

Description

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS0.39% probability of exploitation · percentile 30.4% · 2026-06-19T12:03:05Z
Published2025-08-11
Last modified2026-04-15

Underlying weaknesses· 2

CWE-338CWE-340

References

  1. https://datatracker.ietf.org/doc/html/rfc7616#section-5.12
  2. https://datatracker.ietf.org/doc/html/rfc9562#name-security-considerations
  3. https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18
  4. https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1
  5. https://metacpan.org/release/ETHER/Catalyst-Authentication-Credential-HTTP-1.018/source/lib/Catalyst/Authentication/Credential/HTTP.pm#L391
  6. https://security.metacpan.org/patches/C/Catalyst-Authentication-Credential-HTTP/1.018/CVE-2025-40920-r1.patch
  7. http://www.openwall.com/lists/oss-security/2025/08/12/1

2

TypeTargetConfidenceTier
WeaknessUse of Cryptographically Weak Pseudo-Random Number Generator (PRNG)cwe-3380%live
WeaknessGeneration of Predictable Numbers or Identifierscwe-3400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-2439
CVE
CVE-2025-40931
CVE
CVE-2025-40932
CVE
CVE-2026-3256
CVE
CVE-2025-15604
CVE
CVE-2025-15578
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.