Cyber Resilience

CVE-2024-58041

Critical

Published: 24 February 2026

Published
24 February 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0041 32.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2024-58041 is a critical-severity PRNG (CWE-338) vulnerability in Wonko Smolder. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-58041 affects Smolder versions through 1.51, a Perl-based continuous integration server. The vulnerability stems from the use of Perl's insecure rand() function as the default source of entropy in cryptographic functions. Specifically, the Smolder::DB::Developer module relies on the Data::Random library, which employs rand() and explicitly states it is "useful mostly for test programs," making it unsuitable for security-sensitive randomness generation. This issue is classified under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator) with a CVSS v3.1 base score of 9.1.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). Successful exploitation enables high-impact confidentiality (C:H) and integrity (I:H) violations, but no availability disruption (A:N). By predicting the weak pseudo-random output, adversaries could potentially forge or guess cryptographic tokens, passwords, or other security artifacts generated by affected Smolder components.

References to the vulnerability highlight the problematic code in Smolder::DB::Developer (lines 5 and 221) and Data::Random (line 537), alongside Perl documentation for rand() and a MetaCPAN security guide on random data for security purposes. No specific patches or vendor advisories are detailed in the provided information, emphasizing the need to avoid rand() for cryptographic entropy in Perl applications.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions. Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Smolder::DB::Developer uses…

more

the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Weak PRNG enables remote prediction/forge of tokens/passwords in public-facing Smolder app (T1190); directly facilitates forging web credentials (T1606).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-40905Shared CWE-338
CVE-2025-66630Shared CWE-338
CVE-2024-40762Shared CWE-338
CVE-2021-26091Shared CWE-338
CVE-2026-25726Shared CWE-338
CVE-2026-41505Shared CWE-338
CVE-2025-15578Shared CWE-338
CVE-2024-57854Shared CWE-338
CVE-2026-41858Shared CWE-338
CVE-2026-6659Shared CWE-338

Affected Assets

wonko
smolder
≤ 1.51

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires implementation of approved cryptographic mechanisms, directly preventing use of insecure PRNGs like Perl's rand() for cryptographic functions in Smolder.

preventdetect

Mandates identification, reporting, and timely remediation of software flaws such as Smolder's reliance on cryptographically weak randomness generation.

prevent

Requires NIST-approved cryptographic modules for key establishment and management, mitigating weak randomness used in generating cryptographic keys or tokens in Smolder.

References