Vulnerability Lookup

🛡️ CVE-2025-40931

🔴 CVSS 9.1 — Critical ✅ No Known Exploit CWE-338 NVD

9.1

CVSS Score

0 Low4 Medium7 High9 Critical10

Description

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.

Details

Severity CRITICAL

CVSS Score 9.1

CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE CWE-338

Public Exploit ✅ No

Source NVD

Published 2026-03-05

Updated 2026-06-02

Modified 2026-04-12

Fix URL N/A

Affected Packages

Software	From version	Fixed in
apache\	—	1.94

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930659

Issue Tracking https://github.com/chorny/Apache-Session/issues/4

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/1633

Product https://metacpan.org/dist/Apache-Session/source/lib/Apache/Session/Generate/MD5.pm#L27

https://metacpan.org/pod/Apache::Session::Generate::Random

Third Party Advisory https://rt.cpan.org/Ticket/Display.html?id=173631

https://salsa.debian.org/perl-team/modules/packages/libapache-session-perl/-/commit/bdabd71c2f91b18526e31a9dc52b4c17b3d246b7#898a4b8b00022df1b8689910b67707f3e738d180

Mailing List, Third Party Advisory https://security.metacpan.org/docs/guides/random-data-for-security.html

https://www.openwall.com/lists/oss-security/2019/06/15/1

Mailing List, Third Party Advisory http://www.openwall.com/lists/oss-security/2026/03/05/3

🔗 NVD 🔗 Mitre

Exploit Protection

Help block exploit attempts

BotEraser is designed to detect and help reduce malicious bot traffic that may target known vulnerabilities on your site.

Try BotEraser Free →

No credit card required · Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.

Help block exploit attempts

Company

Resources

Services

Trusted

Subscribe