EUVD-2025-209143

| CVE-2025-15618 CRITICAL
2026-03-31 CPANSec GHSA-7rq2-v6rc-96jw
9.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 31, 2026 - 10:45 vuln.today
EUVD ID Assigned
Mar 31, 2026 - 10:45 euvd
EUVD-2025-209143
CVE Published
Mar 31, 2026 - 10:04 nvd
CRITICAL 9.1

Tags

Information Disclosure

Description

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. This key is intended for encrypting credit card transaction data.

Analysis

Business::OnlinePayment::StoredTransaction through version 0.01 uses cryptographically weak secret key generation based on MD5 hashing of a single rand() call, exposing encrypted credit card transaction data to key recovery attacks. The vulnerability affects Perl module users who rely on this library for payment processing, allowing attackers to potentially decrypt stored transaction records. No CVSS score was assigned, but the direct compromise of payment card encryption represents critical risk to financial data confidentiality.

Technical Context

The Business::OnlinePayment::StoredTransaction Perl module implements encryption of credit card transaction data for secure storage. The vulnerability stems from CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator), where the secret key is derived from MD5(rand()), combining two fatal cryptographic weaknesses: Perl's built-in rand() function is a weak pseudo-random number generator unsuitable for security purposes (predictable, low entropy), and MD5 is cryptographically broken for key derivation. The module generates these keys for protecting sensitive payment card information, making the weak key generation directly exploitable against financial data.

Affected Products

Business::OnlinePayment::StoredTransaction for Perl, versions through 0.01, as indicated by CPE cpe:2.3:a:mock:business::onlinepayment::storedtransaction. The module is distributed via CPAN (Comprehensive Perl Archive Network). All installations using version 0.01 or earlier to encrypt payment card data are affected.

Remediation

Upgrade to a patched version of Business::OnlinePayment::StoredTransaction beyond 0.01 that implements cryptographically secure key generation (e.g., using /dev/urandom or Crypt::Random). A security patch is available at https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch. For immediate mitigation, review stored transaction records encrypted with version 0.01 keys; consider re-encrypting sensitive data with a corrected implementation using strong random number generation (e.g., Crypt::OpenSSL::Random) instead of rand(). Audit all systems using this module in production payment processing environments and apply patches immediately before processing new transactions.

Priority Score

46
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +46
POC: 0

Share

EUVD-2025-209143 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy