Description
HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.

The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.

HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.
Published: 2026-02-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Predictable session IDs may enable session hijacking
Action: Immediate Patch
AI Analysis

Impact

The session identifier generator in HTTP::Session2 uses the built‐in rand() function combined with the current epoch time and process ID. Because the PID comes from a small set of numbers and the epoch time may be inferred from an HTTP Date header, the resulting hash is far from cryptographically secure. An attacker who can guess or observe the epoch and PID has a high probability of predicting future session identifiers, enabling session fixation or hijacking of authenticated users.

Affected Systems

All installations of TOKUHIROM’s HTTP::Session2 for Perl that run versions prior to 1.12 are affected. While the module attempts to use /dev/urandom from version 1.02 onward, the fallback to the insecure rand‑based method remains active if /dev/urandom is unavailable (for example on Windows). The module was formally deprecated in version 1.11, and users are encouraged to migrate to a different solution or update to 1.12 or later.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation attempts are uncommon at this time. The vulnerability is not listed in the CISA KEV catalog, which further limits the immediate threat headline. Nevertheless, an attacker with network visibility can exploit the weak randomness by predicting session IDs, provided they can monitor session creation traffic and, ideally, read the server’s HTTP Date header. The attack becomes feasible when the server falls back to the insecure method due to unavailability of /dev/urandom on the host system.

Generated by OpenCVE AI on April 17, 2026 at 13:56 UTC.

Remediation

Vendor Solution

HTTP::Session2 has been deprecated since version 1.11. Migrate to a different solution.

Vendor Workaround

Upgrade to version 1.12 or later.

OpenCVE Recommended Actions

  • Migrate to an alternative session management library that guarantees cryptographic randomness for session identifiers.
  • Upgrade to HTTP::Session2 version 1.12 or later, which uses /dev/urandom to generate session IDs.
  • If the environment lacks /dev/urandom (e.g., on Windows), verify that the module does not revert to the insecure rand() fallback by inspecting the code or environment variables.

Generated by OpenCVE AI on April 17, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Tokuhirom http\
CPEs cpe:2.3:a:tokuhirom:http\:\:session2:*:*:*:*:*:perl:*:*
Vendors & Products Tokuhirom http\

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Tokuhirom
Tokuhirom http::session2
Vendors & Products Tokuhirom
Tokuhirom http::session2

Sat, 28 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
References

Fri, 27 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage. HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.
Title HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function
Weaknesses CWE-338
CWE-340
References

Subscriptions

Tokuhirom Http::session2 Http\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-03-03T20:23:53.160Z

Reserved: 2026-02-26T11:43:17.278Z

Link: CVE-2026-3255

cve-icon Vulnrichment

Updated: 2026-02-28T00:15:39.689Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:41.180

Modified: 2026-03-04T15:51:09.683

Link: CVE-2026-3255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses