CVE-2025-24783
Published: 27 January 2025
Summary
CVE-2025-24783 is a high-severity PRNG (CWE-335) vulnerability in Apache Cocoon. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-24783 is an incorrect seed usage vulnerability in the pseudo-random number generator that Apache Cocoon uses to assign identifiers to continuations. The flaw affects every version of the framework; because the PRNG is seeded only with the process startup time, the resulting identifiers are insufficiently unpredictable.
An unauthenticated network attacker can therefore enumerate and guess valid continuation IDs, retrieving continuation state that should be inaccessible and thereby disclosing sensitive information. The CVSS 7.5 score reflects the low attack complexity and absence of required privileges or user interaction.
Apache has marked the issue “unsupported when assigned” because the Cocoon project is retired and will not issue a fix. The published mitigation is to enable the “session-bound-continuations” option so that continuations are not shared across sessions; otherwise administrators are advised to restrict access to trusted users only. The associated EPSS scores remain low (current 0.0102, peak 0.0133) with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0182
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. This issue affects Apache Cocoon: all versions. When a continuation is created, it gets a random identifier. Because the random number generator…
more
used to generate these identifiers was seeded with the startup time, it may not have been sufficiently unpredictable, and an attacker could use this to guess continuation ids and look up continuations they should not have had access to. As a mitigation, you may enable the "session-bound-continuations" option to make sure continuations are not shared across sessions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated attackers to exploit a public-facing Apache Cocoon web application by predicting continuation IDs due to weak PRNG seeding, directly enabling unauthorized data disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Prohibits the use of unsupported system components like retired Apache Cocoon, directly preventing exposure to this unpatchable PRNG seeding vulnerability.
Requires timely flaw remediation, including replacement of unsupported software with predictable PRNG identifiers to eliminate the vulnerability.
Mandates secure configuration settings such as enabling session-bound-continuations to restrict continuation access across sessions and mitigate ID guessing.