CVE-2025-24783
Published: 27 January 2025
Summary
CVE-2025-24783 is a high-severity PRNG (CWE-335) vulnerability in Apache Cocoon. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits the use of unsupported system components like retired Apache Cocoon, directly preventing exposure to this unpatchable PRNG seeding vulnerability.
Requires timely flaw remediation, including replacement of unsupported software with predictable PRNG identifiers to eliminate the vulnerability.
Mandates secure configuration settings such as enabling session-bound-continuations to restrict continuation access across sessions and mitigate ID guessing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated attackers to exploit a public-facing Apache Cocoon web application by predicting continuation IDs due to weak PRNG seeding, directly enabling unauthorized data disclosure.
NVD Description
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. This issue affects Apache Cocoon: all versions. When a continuation is created, it gets a random identifier. Because the random number generator…
more
used to generate these identifiers was seeded with the startup time, it may not have been sufficiently unpredictable, and an attacker could use this to guess continuation ids and look up continuations they should not have had access to. As a mitigation, you may enable the "session-bound-continuations" option to make sure continuations are not shared across sessions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-24783 is an Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability (CWE-335) affecting all versions of Apache Cocoon. The issue arises when continuations are created and assigned random identifiers using a PRNG seeded solely with the application's startup time, rendering the identifiers insufficiently unpredictable.
Remote attackers with no privileges required can exploit this over the network with low complexity and no user interaction (CVSSv3.1 score of 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By guessing the predictable continuation IDs, they can access continuations that should be restricted, leading to unauthorized data disclosure.
Apache advisories note that as Cocoon is a retired project, no patched version will be released. Mitigation involves enabling the "session-bound-continuations" option to prevent sharing across sessions, alongside recommendations to migrate to alternatives or restrict instance access to trusted users only. This vulnerability exclusively impacts unsupported products.
Details
- CWE(s)