CVE-2025-40932

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

27/02/2026

Last modified:

03/03/2026

Description

Apache::SessionX versions through 2.01 for Perl create insecure session id.<br /> <br /> Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 8.20 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): Low
Availability (A): None

Base Score 3.x

8.20

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:grichter:apache\:\:sessionx::::::perl::*		2.01 (including)

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://metacpan.org/release/GRICHTER/Apache-SessionX-2.01/source/SessionX/Generate/MD5.pm#L29