Skip to main content

Amon2

2 CVEs product

Monthly

CVE-2026-5082 MEDIUM This Month

Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl generate cryptographically weak session IDs when /dev/urandom is unavailable, falling back to SHA-1 hashing seeded with predictable values (system PID, epoch time, and the unseeded rand() function). This allows attackers to forge valid session identifiers and potentially conduct session hijacking or CSRF attacks. The module is deprecated by its author, and CISA has not confirmed active exploitation; however, the automatable nature of the attack (as per SSVC) combined with the availability of fix version 7.04 indicates moderate practical risk despite the low EPSS score of 0.02%.

Information Disclosure Amon2
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-15604 CRITICAL PATCH Act Now

Amon2 for Perl versions before 6.17 use cryptographically weak random number generation for security-critical functions including session IDs, cookie signing secrets, and CSRF tokens. Versions 6.06-6.16 fall back to SHA-1 hashes seeded with predictable inputs (process ID from a small set, guessable epoch time, and the unsuitable built-in rand() function) when /dev/urandom is unavailable; versions before 6.06 relied entirely on built-in rand(). No CVSS vector or EPSS data is available, and no public exploit code or active exploitation has been confirmed, but the weakness directly undermines session security and CSRF protection in affected applications.

CSRF Amon2
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM This Month

Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl generate cryptographically weak session IDs when /dev/urandom is unavailable, falling back to SHA-1 hashing seeded with predictable values (system PID, epoch time, and the unseeded rand() function). This allows attackers to forge valid session identifiers and potentially conduct session hijacking or CSRF attacks. The module is deprecated by its author, and CISA has not confirmed active exploitation; however, the automatable nature of the attack (as per SSVC) combined with the availability of fix version 7.04 indicates moderate practical risk despite the low EPSS score of 0.02%.

Information Disclosure Amon2
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Amon2 for Perl versions before 6.17 use cryptographically weak random number generation for security-critical functions including session IDs, cookie signing secrets, and CSRF tokens. Versions 6.06-6.16 fall back to SHA-1 hashes seeded with predictable inputs (process ID from a small set, guessable epoch time, and the unsuitable built-in rand() function) when /dev/urandom is unavailable; versions before 6.06 relied entirely on built-in rand(). No CVSS vector or EPSS data is available, and no public exploit code or active exploitation has been confirmed, but the weakness directly undermines session security and CSRF protection in affected applications.

CSRF Amon2
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy