Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Solstice::Session versions through 1440 for Perl generates session ids insecurely.
The _generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand() function and the process id.
The same method is used in the _generateID method in Solstice::Subsession, which is part of the same distribution.
The epoch time may be guessed, if it is not leaked in the HTTP Date header. Stringified hash refences will contain predictable content. The built-in rand() function is seeded by 16-bits and is unsuitable for security purposes. The process id comes from a small set of numbers.
Predictable session ids could allow an attacker to gain access to systems.
AnalysisAI
Weak session ID generation in Solstice::Session for Perl (all versions through 1440) enables session prediction and hijacking attacks by unauthenticated remote attackers. The vulnerability stems from cryptographically weak entropy sources (MD5 with predictable epoch time, stringified hash references, 16-bit rand() seeding, and limited process IDs), allowing attackers to forge valid session tokens and impersonate legitimate users. EPSS score of 0.02% (4th percentile) indicates low observed exploi
Technical ContextAI
Solstice::Session is a Perl module for web session management (CPE: cpe:2.3:a:mcrawfor:solstice::session). The vulnerability resides in the _generateSessionID method and its counterpart in Solstice::Subsession. Session identifiers are created by MD5-hashing a concatenation of epoch timestamp (gettable from HTTP Date headers or synchronized clocks), Perl's stringified hash references (which contain memory addresses in predictable ranges), the built-in rand() function (seeded with only 16 bits of entropy per Perl's default implementation), and process IDs (typically from a small set of values on production systems). This root cause maps to CWE-340 (Generation of Predictable Numbers or Identifiers Used in Security Contexts). MD5, while collision-resistant for this purpose, cannot compensate for predictable input entropy. An attacker with knowledge of the server's approximate time, process environment, and Perl's PRNG behavior can reduce the search space for valid session IDs from cryptographically infeasible (2^128 for proper random tokens) to computationally trivial (potentially millions or billions of candidates, testable via brute-force against session validation endpoints).
RemediationAI
No vendor-released patch or updated version of Solstice::Session has been identified at time of analysis based on available references. The MetaCPAN distribution page and CPANSec advisory do not reference a fixed release beyond version 1440. Immediate mitigation requires replacing Solstice::Session with a cryptographically secure session management library such as Plack::Middleware::Session (with Session::Storage::Secure backend), CGI::Session with custom secure ID generation, or migrating to modern frameworks like Mojolicious or Dancer2 that implement OWASP-compliant session handling. If replacement is not immediately feasible, implement defense-in-depth controls including aggressive session rotation (on every privilege change), IP-based session binding, short session timeouts (under 15 minutes for sensitive applications), and Web Application Firewall rules to detect abnormal session enumeration patterns. Review the security guidance at https://security.metacpan.org/docs/guides/random-data-for-security.html for Perl-specific cryptographic random number generation best practices. Monitor authentication logs for session hijacking indicators such as concurrent sessions from disparate geolocations or rapid session ID cycling.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21885