Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions.

If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider.

In particular, Windows versions of perl will encounter this issue by default.
Fixes

Solution

Upgrade to version 1.56 or higher


Workaround

No workaround given by the vendor.

History

Fri, 05 Sep 2025 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-331

Fri, 27 Jun 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Timlegge
Timlegge crypt\
CPEs cpe:2.3:a:timlegge:crypt\:\:random:*:*:*:*:*:perl:*:*
Vendors & Products Timlegge
Timlegge crypt\

Wed, 26 Mar 2025 01:45:00 +0000

Type Values Removed Values Added
Description Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. Crypt::Random::rand 1.05 through 1.55 uses the rand() function. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider. In particular, Windows versions of perl will encounter this issue by default. Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider. In particular, Windows versions of perl will encounter this issue by default.

Tue, 11 Mar 2025 03:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 11 Mar 2025 00:00:00 +0000

Type Values Removed Values Added
Description Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. Crypt::Random::rand 1.05 through 1.55 uses the rand() function. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider. In particular, Windows versions of perl will encounter this issue by default.
Title Perl's Crypt::Random module after 1.05 and before 1.56 may use rand() function for cryptographic functions
Weaknesses CWE-338
References

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2025-09-09T13:56:40.704Z

Reserved: 2025-03-01T15:39:14.682Z

Link: CVE-2025-1828

cve-icon Vulnrichment

Updated: 2025-03-11T02:20:38.444Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-11T00:15:11.060

Modified: 2025-09-29T22:40:03.673

Link: CVE-2025-1828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.