CVE-2024-58041
Published: 24 February 2026
Summary
CVE-2024-58041 is a critical-severity PRNG (CWE-338) vulnerability in Wonko Smolder. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires implementation of approved cryptographic mechanisms, directly preventing use of insecure PRNGs like Perl's rand() for cryptographic functions in Smolder.
Mandates identification, reporting, and timely remediation of software flaws such as Smolder's reliance on cryptographically weak randomness generation.
Requires NIST-approved cryptographic modules for key establishment and management, mitigating weak randomness used in generating cryptographic keys or tokens in Smolder.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak PRNG enables remote prediction/forge of tokens/passwords in public-facing Smolder app (T1190); directly facilitates forging web credentials (T1606).
NVD Description
Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions. Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Smolder::DB::Developer uses…
more
the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Deeper analysisAI
CVE-2024-58041 affects Smolder versions through 1.51, a Perl-based continuous integration server. The vulnerability stems from the use of Perl's insecure rand() function as the default source of entropy in cryptographic functions. Specifically, the Smolder::DB::Developer module relies on the Data::Random library, which employs rand() and explicitly states it is "useful mostly for test programs," making it unsuitable for security-sensitive randomness generation. This issue is classified under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator) with a CVSS v3.1 base score of 9.1.
Attackers can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). Successful exploitation enables high-impact confidentiality (C:H) and integrity (I:H) violations, but no availability disruption (A:N). By predicting the weak pseudo-random output, adversaries could potentially forge or guess cryptographic tokens, passwords, or other security artifacts generated by affected Smolder components.
References to the vulnerability highlight the problematic code in Smolder::DB::Developer (lines 5 and 221) and Data::Random (line 537), alongside Perl documentation for rand() and a MetaCPAN security guide on random data for security purposes. No specific patches or vendor advisories are detailed in the provided information, emphasizing the need to avoid rand() for cryptographic entropy in Perl applications.
Details
- CWE(s)