How to fix CVE-2024-58041?

Within 24 hours: Inventory all systems running Smolder and assess whether cryptographic functions are actively used in production. Within 7 days: Evaluate upgrade feasibility to Smolder 1.52 or later if available, or identify alternative Perl cryptographic libraries that use secure entropy sources (e.g., Crypt::Random). Within 30 days: Complete migration away from vulnerable Smolder versions or implement application-level compensating controls and validate effectiveness through security testing.

Is Smolder affected by CVE-2024-58041?

Smolder versions 1.51 and earlier contain a critical cryptographic vulnerability that weakens security token generation and authentication mechanisms.

CVE-2024-58041

CRITICAL

2026-02-24 9b29abf9-4ab0-4765-b253-1875cd9b441e

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 24, 2026 - 00:16 nvd

CRITICAL 9.1

Description

Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions. Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.

Analysis

Insecure random number generation in Smolder 1.51 Perl testing framework. Uses rand() for cryptographic operations instead of a CSPRNG, enabling prediction of security tokens.

Technical Context

CWE-338 use of cryptographically weak PRNG. rand() output is predictable — any tokens, session IDs, or nonces generated with it can be predicted.

Affected Products

['Smolder <= 1.51']

Remediation

Replace rand() with a CSPRNG (e.g., Crypt::URandom).

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +46

POC: 0

CVE-2024-58041 vulnerability details – vuln.today

Back

CVE-2024-58041

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-58041

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code