CVE-2025-40905
Published: 13 February 2026
Summary
CVE-2025-40905 is a high-severity PRNG (CWE-338) vulnerability in Dbook Www\. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).
Deeper analysis
CVE-2025-40905 is a vulnerability in WWW::OAuth version 1.000 and earlier, a Perl module for handling OAuth. The issue arises from the module's use of Perl's rand() function as the default source of entropy for cryptographic functions, which is not cryptographically secure. This flaw is categorized under CWE-338 and was published on 2026-02-13 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Attackers with network access can exploit this vulnerability remotely with low complexity, requiring no privileges or user interaction. By predicting the output of the weak rand()-based randomness, they could compromise cryptographic operations within the module, leading to low-level impacts on confidentiality, integrity, and availability.
Advisories and references, including the module's source code at line 86 in lib/WWW/OAuth.pm, Perl documentation for rand(), a metaCPAN security guide on random data for security, and an oss-security mailing list announcement from 2026-02-13, highlight the need for cryptographically secure entropy sources in security-sensitive contexts. Security practitioners should review these resources for detailed mitigation recommendations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206911
Vulnerability details
WWW::OAuth 1.000 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak PRNG in OAuth crypto directly enables remote exploitation of public apps (T1190) and forging of web credentials/tokens via predictable randomness (T1606).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographically secure methods for key and nonce generation, directly blocking use of rand() as an entropy source in OAuth operations.
Mandates validated cryptographic modules and algorithms that cannot rely on non-cryptographic PRNGs such as Perl's rand().
Drives identification and patching of the vulnerable WWW::OAuth library to replace its insecure default entropy source.