CVE-2025-40926
Published: 05 March 2026
Summary
CVE-2025-40926 is a critical-severity PRNG (CWE-338) vulnerability in Kazeburo Plack\. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires generation and management of session identifiers with strength and randomness requirements, directly preventing predictable session IDs from weak generators like Perl's rand, epoch time, and PID.
Mandates identification, reporting, and correction of flaws like the insecure session ID generator in Plack::Middleware::Session::Simple, with testing of patches such as upgrading to version 0.05.
Enforces secure configuration settings for session management components to use cryptographically strong randomness, mitigating reliance on vulnerable default generators.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Predictable session IDs directly enable remote session hijacking via forged web session cookies (T1550.004) on public-facing Perl web apps (T1190).
NVD Description
Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of…
more
numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predictable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.
Deeper analysisAI
CVE-2025-40926 is a vulnerability in Plack::Middleware::Session::Simple versions before 0.05 for Perl, where the default session ID generator produces insecurely predictable identifiers. It computes a SHA-1 hash seeded with Perl's built-in rand function, the epoch time, and the process ID (PID). The PID draws from a limited range of values, epoch time can often be guessed or leaked via the HTTP Date header, and the rand function lacks cryptographic strength, violating CWE-338 (use of weak pseudo-random number generator) and CWE-340 (generation of predictable identifiers). This issue mirrors a similar flaw in the compatible Plack::Middleware::Session (CVE-2025-40923), earning a CVSS v3.1 score of 9.8 for its critical impact.
Remote attackers can exploit this over the network with low complexity and no privileges or user interaction required (AV:N/AC:L/PR:N/UI:N). By predicting session IDs, they can hijack active user sessions, impersonating legitimate users to access protected resources and systems, potentially leading to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).
Mitigation involves upgrading to version 0.05 or later, as detailed in the release changes and the fixing commit (760bb358b8f53e52cf415888a4ac858fd99bb24e). The patch addresses the weak generator, and the metacpan security guide emphasizes using cryptographically secure random data sources for such purposes. Source code diffs confirm the insecure implementation in prior versions.
Details
- CWE(s)