Cyber Resilience

CVE-2025-40926

Critical

Published: 05 March 2026

Published
05 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0043 34.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-40926 is a critical-severity PRNG (CWE-338) vulnerability in Kazeburo Plack\. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-40926 is a vulnerability in Plack::Middleware::Session::Simple versions before 0.05 for Perl, where the default session ID generator produces insecurely predictable identifiers. It computes a SHA-1 hash seeded with Perl's built-in rand function, the epoch time, and the process ID (PID). The PID draws from a limited range of values, epoch time can often be guessed or leaked via the HTTP Date header, and the rand function lacks cryptographic strength, violating CWE-338 (use of weak pseudo-random number generator) and CWE-340 (generation of predictable identifiers). This issue mirrors a similar flaw in the compatible Plack::Middleware::Session (CVE-2025-40923), earning a CVSS v3.1 score of 9.8 for its critical impact.

Remote attackers can exploit this over the network with low complexity and no privileges or user interaction required (AV:N/AC:L/PR:N/UI:N). By predicting session IDs, they can hijack active user sessions, impersonating legitimate users to access protected resources and systems, potentially leading to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).

Mitigation involves upgrading to version 0.05 or later, as detailed in the release changes and the fixing commit (760bb358b8f53e52cf415888a4ac858fd99bb24e). The patch addresses the weak generator, and the metacpan security guide emphasizes using cryptographically secure random data sources for such purposes. Source code diffs confirm the insecure implementation in prior versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of…

more

numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predictable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Predictable session IDs directly enable remote session hijacking via forged web session cookies (T1550.004) on public-facing Perl web apps (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40562Same vendor: Kazeburo
CVE-2025-40932Shared CWE-338, CWE-340
CVE-2025-15604Shared CWE-338, CWE-340
CVE-2026-2439Shared CWE-338, CWE-340
CVE-2026-5085Shared CWE-338, CWE-340
CVE-2026-3256Shared CWE-338, CWE-340
CVE-2026-5081Shared CWE-340
CVE-2025-40920Shared CWE-338, CWE-340
CVE-2025-15578Shared CWE-338
CVE-2025-40931Shared CWE-338, CWE-340

Affected Assets

kazeburo
plack\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires generation and management of session identifiers with strength and randomness requirements, directly preventing predictable session IDs from weak generators like Perl's rand, epoch time, and PID.

prevent

Mandates identification, reporting, and correction of flaws like the insecure session ID generator in Plack::Middleware::Session::Simple, with testing of patches such as upgrading to version 0.05.

prevent

Enforces secure configuration settings for session management components to use cryptographically strong randomness, mitigating reliance on vulnerable default generators.

References