top of page
perceptive_background_267k.jpg

Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely.

The default session id generator returns a SHA-1 hash seedeā€¦

Published:

4 maart 2026 om 23:00:00

Alert date:

5 maart 2026 om 20:09:02

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

CVE-2025-40926 affects Plack::Middleware::Session::Simple versions through 0.04 for Perl, which generates session IDs insecurely using SHA-1 hash seeded with built-in rand function, epoch time, and PID. The vulnerability stems from using cryptographically weak random number generation, making session IDs predictable. Attackers could exploit predictable session IDs to gain unauthorized access to systems. The issue is similar to CVE-2025-40923 affecting the compatible Plack::Middleware::Session library.

Technical details

Mitigation steps:

Affected products:

Plack::Middleware::Session::Simple
Perl

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-40926
https://github.com/kazeburo/Plack-Middleware-Session-Simple/commit/760bb358b8f53e52cf415888a4ac858fd99bb24e.patch
https://github.com/kazeburo/Plack-Middleware-Session-Simple/pull/4
https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.04/source/lib/Plack/Middleware/Session/Simple.pm#L43
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://www.cve.org/CVERecord?id=CVE-2025-40923

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page