Perceptive Security
SOC/SIEM Consultancy
Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely.
The default session id generator returns a SHA-1 hash seede…
Published:
4 maart 2026 om 23:00:00
Alert date:
5 maart 2026 om 20:09:02
Source:
nvd.nist.gov
Web Technologies, Supply Chain & Dependencies
CVE-2025-40926 affects Plack::Middleware::Session::Simple versions through 0.04 for Perl, which generates session IDs insecurely using SHA-1 hash seeded with built-in rand function, epoch time, and PID. The vulnerability stems from using cryptographically weak random number generation, making session IDs predictable. Attackers could exploit predictable session IDs to gain unauthorized access to systems. The issue is similar to CVE-2025-40923 affecting the compatible Plack::Middleware::Session library.
Technical details
Mitigation steps:
Affected products:
Plack::Middleware::Session::Simple
Perl
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2025-40926
https://github.com/kazeburo/Plack-Middleware-Session-Simple/commit/760bb358b8f53e52cf415888a4ac858fd99bb24e.patch
https://github.com/kazeburo/Plack-Middleware-Session-Simple/pull/4
https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.04/source/lib/Plack/Middleware/Session/Simple.pm#L43
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://www.cve.org/CVERecord?id=CVE-2025-40923
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.