CVE-2025-40920
HIGHCVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionNVD
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library.
- Data::UUID does not use a strong cryptographic source for generating UUIDs.
- Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562.
- The nonces should be generated from a strong cryptographic source, as per RFC 7616.
AnalysisAI
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-338. Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.
Affected ProductsAI
See vendor advisory for affected versions.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Share
External POC / Exploit Code
Leaving vuln.today