Skip to main content

Ado EUVDEUVD-2026-20063

| CVE-2026-5083 MEDIUM
Generation of Predictable Numbers or Identifiers (CWE-340)
2026-04-08 CPANSec
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 06:00 euvd
EUVD-2026-20063
Analysis Generated
Apr 08, 2026 - 06:00 vuln.today
CVE Published
Apr 08, 2026 - 05:53 nvd
MEDIUM 5.3

DescriptionCVE.org

Ado::Sessions versions through 0.935 for Perl generates insecure session ids.

The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

Note that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.

AnalysisAI

Ado::Sessions through version 0.935 for Perl generates cryptographically weak session identifiers by seeding SHA-1 with the built-in rand function, system time, and process ID, allowing attackers to predict valid session IDs and hijack user sessions. The vulnerability affects unmaintained code no longer available on CPAN, though it remains on BackPAN. EPSS exploitation probability is minimal at 0.02%, and no public exploit code has been identified, but the automatable nature of session prediction and partial technical impact warrant assessment for legacy deployments.

Technical ContextAI

Ado::Sessions is a Perl session management module that implements session ID generation using SHA-1 hashing. The vulnerability stems from the use of Perl's built-in rand function, which is designed for statistical purposes and employs a predictable linear congruential generator unsuitable for cryptographic operations (CWE-340: Generation of Predictable Numbers or Identifiers). The seed combines three components: the rand output, Unix epoch timestamp, and process ID (PID). Since PIDs are recycled in a predictable range and epoch timestamps can be inferred from HTTP Date headers or brute-forced across a narrow window, an attacker with knowledge of the server's approximate time and PID can feasibly regenerate valid session IDs. The affected CPE is cpe:2.3:a:berov:ado::sessions with all versions through 0.935 impacted. SHA-1, while not ideal for modern cryptographic purposes, is less critical here than the entropy source-the rand function supplies insufficient randomness regardless of hash function choice.

RemediationAI

No vendor-released patch is available; Ado::Sessions is no longer maintained and the project has been archived. Organizations using Ado::Sessions should migrate to a maintained Perl session management library that employs cryptographically secure random number generators, such as Crypt::Random or Data::UUID for session ID generation, or switch to established session frameworks like Plack::Middleware::Session or Dancer2::Plugin::Auth. If immediate replacement is not feasible, implement compensating controls such as session ID validation against stored hashes, short session lifetimes (15-30 minutes), and binding sessions to client IP addresses and User-Agent headers to increase the difficulty of session hijacking. The MetaCPAN security documentation at https://security.metacpan.org/docs/guides/random-data-for-security.html provides guidance on cryptographically secure randomness in Perl. For legacy systems, prioritize decommissioning or air-gapping systems using Ado::Sessions.

Share

EUVD-2026-20063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy