CVE-2025-40915

| EUVD-2025-18132 HIGH
2025-06-11 9b29abf9-4ab0-4765-b253-1875cd9b441e
7.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch Released
Apr 06, 2026 - 02:30 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 21:09 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:09 euvd
EUVD-2025-18132
CVE Published
Jun 11, 2025 - 17:15 nvd
HIGH 7.0

Tags

CSRF Information Disclosure Suse

Description

Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens. That version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.

Analysis

Mojolicious::Plugin::CSRF version 1.03 generates CSRF tokens using weak entropy sources (process ID, current time, and a single rand() call hashed with MD5), allowing attackers to predict or brute-force valid CSRF tokens and bypass CSRF protections. This affects Perl web applications using this specific plugin version. The vulnerability is not currently listed in CISA KEV, but the weak randomness makes token prediction feasible without requiring user interaction or high attack complexity.

Technical Context

Mojolicious::Plugin::CSRF is a Perl module that implements Cross-Site Request Forgery (CSRF) protection for the Mojolicious web framework. CVE-2025-40915 stems from CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator), a critical weakness in cryptographic token generation. The vulnerable implementation combines: (1) process ID—often sequential and predictable in containerized/cloud environments; (2) current time—low entropy with only millisecond or second granularity; (3) single rand() call—Perl's built-in rand() is not cryptographically secure and uses a predictable seeding mechanism. These three components are concatenated and hashed via MD5, but the hash of weak inputs remains weak. MD5 itself is cryptographically broken, compounding the issue. Affected CPE: pkg:perl/[email protected]. The module is installed via CPAN and integrated into Mojolicious applications for form token validation.

Affected Products

Mojolicious::Plugin::CSRF (['1.03'])

Remediation

Patch/Upgrade: Update CPAN dependency: cpan upgrade Mojolicious::Plugin::CSRF or update Makefile.PL/cpanfile to require patched version. Workaround (Temporary): Use Crypt::Random or Crypt::OpenSSL::Random for token generation; override the plugin's token method or disable it and implement alternative CSRF validation. Mitigation: Implement SameSite cookie attributes (SameSite=Strict or Lax) as a defense-in-depth measure to reduce CSRF attack surface regardless of token strength. Detection: Use software composition analysis (SCA) tools or cpan outdated command to identify deployed version 1.03 instances.

Priority Score

35
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +35
POC: 0

Vendor Status

Share

CVE-2025-40915 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy