Cyber Resilience

CVE-2025-24783

High

Published: 27 January 2025

Published
27 January 2025
Modified
15 July 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0102 77.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24783 is a high-severity PRNG (CWE-335) vulnerability in Apache Cocoon. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24783 is an incorrect seed usage vulnerability in the pseudo-random number generator that Apache Cocoon uses to assign identifiers to continuations. The flaw affects every version of the framework; because the PRNG is seeded only with the process startup time, the resulting identifiers are insufficiently unpredictable.

An unauthenticated network attacker can therefore enumerate and guess valid continuation IDs, retrieving continuation state that should be inaccessible and thereby disclosing sensitive information. The CVSS 7.5 score reflects the low attack complexity and absence of required privileges or user interaction.

Apache has marked the issue “unsupported when assigned” because the Cocoon project is retired and will not issue a fix. The published mitigation is to enable the “session-bound-continuations” option so that continuations are not shared across sessions; otherwise administrators are advised to restrict access to trusted users only. The associated EPSS scores remain low (current 0.0102, peak 0.0133) with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. This issue affects Apache Cocoon: all versions. When a continuation is created, it gets a random identifier. Because the random number generator…

more

used to generate these identifiers was seeded with the startup time, it may not have been sufficiently unpredictable, and an attacker could use this to guess continuation ids and look up continuations they should not have had access to. As a mitigation, you may enable the "session-bound-continuations" option to make sure continuations are not shared across sessions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote unauthenticated attackers to exploit a public-facing Apache Cocoon web application by predicting continuation IDs due to weak PRNG seeding, directly enabling unauthorized data disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-46586Same vendor: Apache
CVE-2026-41873Same vendor: Apache
CVE-2024-53678Same vendor: Apache
CVE-2026-34059Same vendor: Apache
CVE-2026-40961Same vendor: Apache
CVE-2025-48913Same vendor: Apache
CVE-2025-65114Same vendor: Apache
CVE-2026-27446Same vendor: Apache
CVE-2026-30778Same vendor: Apache
CVE-2025-22828Same vendor: Apache

Affected Assets

apache
cocoon
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Prohibits the use of unsupported system components like retired Apache Cocoon, directly preventing exposure to this unpatchable PRNG seeding vulnerability.

prevent

Requires timely flaw remediation, including replacement of unsupported software with predictable PRNG identifiers to eliminate the vulnerability.

prevent

Mandates secure configuration settings such as enabling session-bound-continuations to restrict continuation access across sessions and mitigate ID guessing.

References