Cyber Resilience

CVE-2025-40905

High

Published: 13 February 2026

Published
13 February 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0006 18.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40905 is a high-severity PRNG (CWE-338) vulnerability in Dbook Www\. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2025-40905 is a vulnerability in WWW::OAuth version 1.000 and earlier, a Perl module for handling OAuth. The issue arises from the module's use of Perl's rand() function as the default source of entropy for cryptographic functions, which is not cryptographically secure. This flaw is categorized under CWE-338 and was published on 2026-02-13 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Attackers with network access can exploit this vulnerability remotely with low complexity, requiring no privileges or user interaction. By predicting the output of the weak rand()-based randomness, they could compromise cryptographic operations within the module, leading to low-level impacts on confidentiality, integrity, and availability.

Advisories and references, including the module's source code at line 86 in lib/WWW/OAuth.pm, Perl documentation for rand(), a metaCPAN security guide on random data for security, and an oss-security mailing list announcement from 2026-02-13, highlight the need for cryptographically secure entropy sources in security-sensitive contexts. Security practitioners should review these resources for detailed mitigation recommendations.

EU & UK References

Vulnerability details

WWW::OAuth 1.000 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Weak PRNG in OAuth crypto directly enables remote exploitation of public apps (T1190) and forging of web credentials/tokens via predictable randomness (T1606).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-58041Shared CWE-338
CVE-2024-40762Shared CWE-338
CVE-2025-66630Shared CWE-338
CVE-2026-25726Shared CWE-338
CVE-2026-41505Shared CWE-338
CVE-2025-15578Shared CWE-338
CVE-2024-57854Shared CWE-338
CVE-2026-6659Shared CWE-338
CVE-2026-5088Shared CWE-338
CVE-2021-26091Shared CWE-338

Affected Assets

dbook
www\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographically secure methods for key and nonce generation, directly blocking use of rand() as an entropy source in OAuth operations.

prevent

Mandates validated cryptographic modules and algorithms that cannot rely on non-cryptographic PRNGs such as Perl's rand().

prevent

Drives identification and patching of the vulnerable WWW::OAuth library to replace its insecure default entropy source.

References