Cyber Posture

CVE-2025-40905

High

Published: 13 February 2026

Published
13 February 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0006 18.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40905 is a high-severity PRNG (CWE-338) vulnerability in Dbook Www\. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AT-5 Contacts with Security Groups and Associations
addresses: CWE-338

Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.

SC-12 Cryptographic Key Establishment and Management
addresses: CWE-338

Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
attack.mitre.org →
Why these techniques?

Weak PRNG in OAuth crypto directly enables remote exploitation of public apps (T1190) and forging of web credentials/tokens via predictable randomness (T1606).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

WWW::OAuth 1.000 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

Deeper analysisAI

CVE-2025-40905 is a vulnerability in WWW::OAuth version 1.000 and earlier, a Perl module for handling OAuth. The issue arises from the module's use of Perl's rand() function as the default source of entropy for cryptographic functions, which is not cryptographically secure. This flaw is categorized under CWE-338 and was published on 2026-02-13 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Attackers with network access can exploit this vulnerability remotely with low complexity, requiring no privileges or user interaction. By predicting the output of the weak rand()-based randomness, they could compromise cryptographic operations within the module, leading to low-level impacts on confidentiality, integrity, and availability.

Advisories and references, including the module's source code at line 86 in lib/WWW/OAuth.pm, Perl documentation for rand(), a metaCPAN security guide on random data for security, and an oss-security mailing list announcement from 2026-02-13, highlight the need for cryptographically secure entropy sources in security-sensitive contexts. Security practitioners should review these resources for detailed mitigation recommendations.

Details

CWE(s)
CWE-338

Affected Products

dbook
www\
\

CVEs Like This One

CVE-2024-58041Shared CWE-338
CVE-2026-25726Shared CWE-338
CVE-2025-66630Shared CWE-338
CVE-2025-15578Shared CWE-338
CVE-2024-57854Shared CWE-338
CVE-2025-40920Shared CWE-338
CVE-2026-6659Shared CWE-338
CVE-2024-40762Shared CWE-338
CVE-2026-5087Shared CWE-338
CVE-2026-5088Shared CWE-338

References