Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure.
Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation.
The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header).
The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.
AnalysisAI
Predictable session ID generation in Apache::Session::Generate::ModUniqueId 1.54-1.94 allows remote unauthenticated attackers to forge session tokens and hijack user sessions. The vulnerability stems from using Apache mod_unique_id values as session identifiers-these values are deterministic and constructed from publicly observable or easily guessable components (server IP, process ID, timestamp, counter). With CVSS 9.1 and SSVC automation classification, this enables systematic session hijacking at scale despite no confirmed active exploitation.
Technical ContextAI
Apache::Session::Generate::ModUniqueId is a Perl module for generating session identifiers, introduced in version 1.54 of the Apache::Session package. The vulnerable implementation relies on the UNIQUE_ID environment variable populated by Apache's mod_unique_id module. While mod_unique_id serves legitimate purposes for request correlation in logging, it generates identifiers using a deterministic algorithm combining IPv4 address, process ID (PID), Unix epoch timestamp, a 16-bit counter, and thread index-none of which are cryptographically random or obfuscated. This violates CWE-340 (Generation of Predictable Numbers or Identifiers Used in Security Contexts), as session tokens must be cryptographically unpredictable to prevent forgery. The timestamp component is further leaked via standard HTTP Date response headers, providing attackers with precise timing information. Server IP addresses are typically discoverable through DNS resolution or previous session observations, and process IDs can be inferred through statistical analysis of sequential session IDs.
RemediationAI
Immediately migrate to Apache::Session::Generate::Random or other cryptographically secure session ID generators as documented at https://metacpan.org/pod/Apache::Session::Generate::Random. No patched version of ModUniqueId is available-the fundamental design is insecure as mod_unique_id was never intended for security contexts per Apache documentation at https://httpd.apache.org/docs/current/mod/mod_unique_id.html. Application-level remediation requires changing session generation configuration in Apache::Session to use Random, MD5, or SHA256 generators instead of ModUniqueId. As temporary mitigation while planning migration, invalidate all existing sessions to prevent exploitation of previously issued predictable tokens, though this does not address ongoing vulnerability. Deploy additional session binding controls (IP address validation, user-agent fingerprinting) as compensating controls, understanding these add usability friction (legitimate users behind NAT or VPNs may experience logouts) and do not fully mitigate the root cause. Monitor for anomalous session usage patterns (multiple IPs using same session, rapid session enumeration) to detect exploitation attempts during transition period.
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27823
GHSA-546v-xqjf-qgcr