Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id.
The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604.
Note that the author has deprecated this module.
AnalysisAI
Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl generate cryptographically weak session IDs when /dev/urandom is unavailable, falling back to SHA-1 hashing seeded with predictable values (system PID, epoch time, and the unseeded rand() function). This allows attackers to forge valid session identifiers and potentially conduct session hijacking or CSRF attacks. The module is deprecated by its author, and CISA has not confirmed active exploitation; however, the automatable nature of the attack (as per SSVC) combined with the availability of fix version 7.04 indicates moderate practical risk despite the low EPSS score of 0.02%.
Technical ContextAI
The vulnerability stems from CWE-340 (Generation of Predictable Numbers or Identifiers) in the generate_session_id function of Amon2::Plugin::Web::CSRFDefender. The affected Perl module implements CSRF token defense by generating session identifiers. When the cryptographically secure /dev/urandom source is unavailable (e.g., on non-Unix systems or in restricted environments), the fallback mechanism uses SHA-1 with a seed constructed from three weak sources: the operating system PID (typically a small sequential value, often guessable or previously enumerated), the high-resolution epoch time (guessable or potentially leaked via HTTP Date headers), and Perl's built-in rand() function (a non-cryptographic PRNG unsuitable for security-sensitive operations). This combination allows an attacker to brute-force or predict session IDs without cryptographic strength. The module version 7.04 and later address this by presumably enforcing /dev/urandom or using a cryptographically appropriate alternative.
RemediationAI
Upgrade Amon2::Plugin::Web::CSRFDefender to version 7.04 or later. This can typically be done via CPAN package managers (e.g., 'cpan Amon2::Plugin::Web::CSRFDefender' or via system package managers if available). Consult the module changelog at https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.04/changes for specific fix details and any migration notes. Since the author has deprecated this module, organizations should evaluate whether to transition to an actively maintained CSRF defense library. For systems where immediate patching is not feasible, the fallback session ID generation should not be triggered by ensuring /dev/urandom is available on Unix-like systems, though this is a workaround and not a substitute for upgrading.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20060
GHSA-gr8m-rq4x-q7c8