Description
Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely.

The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predictable session ids could allow an attacker to gain access to systems.

Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Insecure session identifiers can lead to session hijacking
Action: Patch
AI Analysis

Impact

Plack::Middleware::Session::Simple before 0.05 creates session identifiers by hashing a value that includes the result of Perl's built-in rand function, the current time, and the process ID. The rand function is not cryptographically secure, and the time and PID values are small or guessable, so the resulting SHA‑1 hash is predictable. An attacker who can guess a valid session id can impersonate a user or hijack an existing session, gaining whatever privileges the legitimate session holds. Therefore this weakness constitutes a critical flaw that directly exposes confidentiality and integrity of user sessions.

Affected Systems

The vulnerability affects the Perl module Plack::Middleware::Session::Simple from vendor KAZEBURO. All releases prior to 0.05 are impacted. The advisory also notes that Plack::Middleware::Session, which has a similar flaw (CVE‑2025‑40923), is fixed in version 0.35. Systems that rely on older versions of these modules are at risk.

Risk and Exploitability

The CVSS base score of 9.8 signals critical severity, and the EPSS score of <1% indicates a low but not negligible likelihood of exploitation in the wild. The module is not listed in the CISA KEV catalog, so no known public exploit has been reported yet. However, because the session ids are generated using low‑entropy data, an attacker can predict them with limited effort, especially if the HTTP Date header leaks the epoch time. Consequently the risk remains high, and rapid mitigation is recommended.

Generated by OpenCVE AI on April 22, 2026 at 11:24 UTC.

Remediation

Vendor Solution

Users are advised to upgrade to version 0.05 or later.

Vendor Workaround

Users are advised to change the sid_generator attribute of Plack::Middleware::Session::Simple to a function that returns a securely generated session id based on a secure source of entropy from the system. Users may consider using Plack::Middleware::Session version 0.35 or later.

OpenCVE Recommended Actions

  • Apply the latest patch by upgrading Plack::Middleware::Session::Simple to version 0.05 or newer
  • If a quick upgrade is not possible, configure the sid_generator attribute to a function that returns a securely generated session id based on a secure source of entropy from the system
  • Alternatively, replace the module with Plack::Middleware::Session version 0.35 or later, which uses a stronger session id generator

Generated by OpenCVE AI on April 22, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923. Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predictable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.
Title Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely
References

Mon, 09 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Kazeburo plack\
CPEs cpe:2.3:a:kazeburo:plack\:\:middleware\:\:session\:\:simple:*:*:*:*:*:perl:*:*
Vendors & Products Kazeburo plack\

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Kazeburo
Kazeburo plack::middleware::session::simple
Vendors & Products Kazeburo
Kazeburo plack::middleware::session::simple

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.
Title Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely
Weaknesses CWE-338
CWE-340
References

Subscriptions

Kazeburo Plack::middleware::session::simple Plack\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-21T02:42:17.296Z

Reserved: 2025-04-16T09:05:34.362Z

Link: CVE-2025-40926

cve-icon Vulnrichment

Updated: 2026-03-05T16:29:20.447Z

cve-icon NVD

Status : Modified

Published: 2026-03-05T02:16:39.790

Modified: 2026-03-12T00:16:10.650

Link: CVE-2025-40926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:30:15Z

Weaknesses