CVE-2025-40931
Published: 05 March 2026
Summary
CVE-2025-40931 is a critical-severity PRNG (CWE-338) vulnerability in Chorny Apache\. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and correction of the insecure session ID generation flaw in Apache::Session::Generate::MD5.
Manages the strength of authenticators, including session identifiers, to preclude predictable generation using weak rand(), epoch time, and PID.
Requires mechanisms to protect session authenticity, countering hijacking enabled by predictable session IDs from the vulnerable MD5 generator.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Predictable session ID generation directly enables forging of web session cookies/tokens for hijacking (T1550.004, T1606.001).
NVD Description
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come…
more
from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.
Deeper analysisAI
CVE-2025-40931 affects Apache::Session::Generate::MD5 versions through 1.94, a Perl module used for generating session IDs in web applications. The vulnerability stems from insecure session ID creation, where the module produces an MD5 hash seeded with the built-in rand() function, the current epoch time, and the process ID (PID). These inputs are predictable: PIDs draw from a limited range, epoch time can often be inferred from the HTTP Date header or similar leaks, and Perl's rand() is not cryptographically secure. This leads to CWE-338 (use of weak cryptographic hash) and CWE-340 (generation of predictable numbers), earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Remote attackers without privileges or user interaction can exploit this over the network with low complexity by predicting valid session IDs. Successful prediction enables session hijacking, allowing unauthorized access to user sessions and potentially compromising confidentiality and integrity of affected systems, such as web applications relying on this module for session management.
Advisories and references highlight mitigations, including patches in the libapache-session-perl package for some Debian-based Linux distributions that replace the insecure generator with Crypt::URandom. Related discussions appear in a Debian bug report (bug 930659), a GitHub issue in the Apache-Session repository, a LemonLDAP-NG work item, and MetaCPAN source code and documentation for alternative generators like Apache::Session::Generate::Random.
Details
- CWE(s)