CVE-2025-40925 - Vulnerability Details - OpenCVE

Starch versions 0.14 and earlier generate session ids insecurely.

The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/bluefeet/Starch/commit/5573449e64e0660f7ee209d1eab5881d4ccbee3b.patch
https://github.com/bluefeet/Starch/pull/5
https://metacpan.org/dist/Starch/source/lib/Starch/Manager.pm

History

Sat, 20 Sep 2025 12:45:00 +0000

Type	Values Removed	Values Added
Description		Starch versions 0.14 and earlier generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
Title		Starch versions 0.14 and earlier generate session ids insecurely
Weaknesses		CWE-338 CWE-340
References		https://github.com/bluefeet/Starch/commit/5573449e64e0660f7ee209d1eab5881d4ccbee3b.patch https://github.com/bluefeet/Starch/pull/5 https://metacpan.org/dist/Starch/source/lib/Starch/Manager.pm

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2025-09-20T12:31:34.353Z

Updated: 2025-09-20T12:31:34.353Z

Reserved: 2025-04-16T09:05:34.362Z

Link: CVE-2025-40925

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-40925", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2025-04-16T09:05:34.362Z", "datePublished": "2025-09-20T12:31:34.353Z", "dateUpdated": "2025-09-20T12:31:34.353Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Starch", "product": "Starch", "programFiles": ["lib/Starch/Manager.pm"], "repo": "https://github.com/bluefeet/Starch", "vendor": "BLUEFEET", "versions": [{"lessThanOrEqual": "0.14", "status": "affected", "version": "0.01", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Starch versions 0.14 and earlier generate session ids insecurely.</div><div>The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.</div><div>Predicable session ids could allow an attacker to gain access to systems.</div>"}], "value": "Starch versions 0.14 and earlier generate session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-340", "description": "CWE-340 Generation of Predictable Numbers or Identifiers", "lang": "en", "type": "CWE"}, {"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2025-09-20T12:31:34.353Z"}, "references": [{"url": "https://github.com/bluefeet/Starch/pull/5"}, {"tags": ["patch"], "url": "https://github.com/bluefeet/Starch/commit/5573449e64e0660f7ee209d1eab5881d4ccbee3b.patch"}, {"url": "https://metacpan.org/dist/Starch/source/lib/Starch/Manager.pm"}], "source": {"discovery": "UNKNOWN"}, "title": "Starch versions 0.14 and earlier generate session ids insecurely", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}