Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
WebDyne::Session versions through 2.075 for Perl generates the session id insecurely.
The session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based on the process id, the epoch time and the reference address of the object, but this information will have no effect on the overall quality of the seed of the message digest.
The rand function is seeded by 32-bits and is predictable. It is considered unsuitable for cryptographic purposes.
Predictable session ids could allow an attacker to gain access to systems.
Note that WebDyne::Session versions 1.042 and earlier appear to be in separate distributions from WebDyne.
AnalysisAI
WebDyne::Session versions through 2.075 for Perl generate cryptographically weak session identifiers using MD5 hashing seeded with Perl's predictable rand() function, allowing attackers to forge valid session IDs and gain unauthorized access to systems. The vulnerability affects all versions from 0 through 2.075 and stems from reliance on a 32-bit-seeded random number generator unsuitable for cryptographic purposes, making session hijacking feasible without authentication.
Technical ContextAI
WebDyne::Session is a Perl-based session handler that creates session identifiers by hashing entropy derived from the built-in rand() function. The seed combines process ID, epoch timestamp, and object reference address - metadata that provides minimal entropy. Perl's rand() function uses a 32-bit linear congruential generator (LCG) by default, which is mathematically predictable and has well-documented weaknesses documented in CWE-340 (Use of Insufficiently Random Values). The resulting MD5 hash of this weak entropy yields session IDs that can be predicted or brute-forced by an attacker with knowledge of the server's PID, time, and object memory layout. Modern cryptographic best practices require cryptographically secure random sources such as /dev/urandom or Perl's Crypt::Random or Math::Random::Secure modules.
RemediationAI
Upgrade WebDyne::Session to a version patched after 2.075 if available from the vendor (patch availability should be confirmed directly with ASPEER/WebDyne maintainers or checked on CPAN). If a patched release is not yet available, immediate mitigation requires modifying the session generation code to use cryptographically secure random sources: replace rand() with Crypt::Random, Math::Random::Secure, or system entropy via Perl's srand() seeded from /dev/urandom. Specifically, replace the MD5(rand()-based seed) logic with Crypt::Random::makerandom() or equivalent. Additionally, implement session token rotation on every authentication event and add server-side session validation (tie session IDs to IP address and User-Agent) to limit session hijacking window even if tokens are compromised. Set secure session cookie flags (HttpOnly, Secure, SameSite=Strict) to prevent token leakage via XSS. Monitor for unauthorized session activity and invalidate any sessions predating the patched deployment. Testing guidance is available at https://security.metacpan.org/docs/guides/random-data-for-security.html.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29039
GHSA-462c-h7qr-cxm6