CVE-2025-40932HIGH 8.2EPSS p9.9%

CVE-2025-40932CVE-2025-40932

Description

Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.20% probability of exploitation · percentile 9.9% · 2026-06-18T12:00:27Z
Published2026-02-27
Last modified2026-03-03

Underlying weaknesses· 2

CWE-338CWE-340

References

  1. https://metacpan.org/release/GRICHTER/Apache-SessionX-2.01/source/SessionX/Generate/MD5.pm#L29

2

TypeTargetConfidenceTier
WeaknessUse of Cryptographically Weak Pseudo-Random Number Generator (PRNG)cwe-3380%live
WeaknessGeneration of Predictable Numbers or Identifierscwe-3400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-40931
CVE
CVE-2026-3256
CVE
CVE-2026-5085
CVE
CVE-2025-40926
CVE
CVE-2025-15578
CVE
CVE-2026-5081
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.