{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3255", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-02-26T11:43:17.278Z", "datePublished": "2026-02-27T20:12:35.414Z", "dateUpdated": "2026-03-03T20:23:53.160Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "HTTP-Session2", "product": "HTTP::Session2", "repo": "https://github.com/tokuhirom/HTTP-Session2", "vendor": "TOKUHIROM", "versions": [{"lessThan": "1.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.\n\nThe HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.\n\nHTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-340", "description": "CWE-340 Generation of Predictable Numbers or Identifiers", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-02-27T20:12:35.414Z"}, "references": [{"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Session2/Random.pm#L35"}, {"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Session2/ServerStore.pm#L68"}, {"tags": ["release-notes"], "url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes"}, {"tags": ["patch"], "url": "https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch"}], "solutions": [{"lang": "en", "value": "HTTP::Session2 has been deprecated since version 1.11. Migrate to a different solution."}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2014-07-31T00:00:00.000Z", "value": "version 1.02 HTTP::Session2 released that attempts to use /dev/urandom."}, {"lang": "en", "time": "2026-02-24T00:00:00.000Z", "value": "version 1.11 HTTP::Session2 deprecated"}, {"lang": "en", "time": "2026-02-26T00:00:00.000Z", "value": "version 1.12 HTTP::Session2 released with a fix with a portable solution."}], "title": "HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function", "workarounds": [{"lang": "en", "value": "Upgrade to version 1.12 or later."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/27/12"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-28T00:15:39.689Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T20:23:27.914632Z", "id": "CVE-2026-3255", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:23:53.160Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/27/12"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-28T00:15:39.689Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3255", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T20:23:27.914632Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:23:48.536Z"}}], "cna": {"title": "HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "affected": [{"repo": "https://github.com/tokuhirom/HTTP-Session2", "vendor": "TOKUHIROM", "product": "HTTP::Session2", "versions": [{"status": "affected", "version": "0", "lessThan": "1.12", "versionType": "custom"}], "packageName": "HTTP-Session2", "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2014-07-31T00:00:00.000Z", "value": "version 1.02 HTTP::Session2 released that attempts to use /dev/urandom."}, {"lang": "en", "time": "2026-02-24T00:00:00.000Z", "value": "version 1.11 HTTP::Session2 deprecated"}, {"lang": "en", "time": "2026-02-26T00:00:00.000Z", "value": "version 1.12 HTTP::Session2 released with a fix with a portable solution."}], "solutions": [{"lang": "en", "value": "HTTP::Session2 has been deprecated since version 1.11. Migrate to a different solution."}], "references": [{"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Session2/Random.pm#L35"}, {"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Session2/ServerStore.pm#L68"}, {"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes", "tags": ["release-notes"]}, {"url": "https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch", "tags": ["patch"]}], "workarounds": [{"lang": "en", "value": "Upgrade to version 1.12 or later."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.\n\nThe HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.\n\nHTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-340", "description": "CWE-340 Generation of Predictable Numbers or Identifiers"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-02-27T20:12:35.414Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3255", "state": "PUBLISHED", "dateUpdated": "2026-03-03T20:23:53.160Z", "dateReserved": "2026-02-26T11:43:17.278Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-02-27T20:12:35.414Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tokuhirom:http\\:\\:session2:*:*:*:*:*:perl:*:*", "matchCriteriaId": "D09565CB-6117-4D7D-BDFB-60715A2A058E", "versionEndExcluding": "1.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.\n\nThe HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.\n\nHTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above."}, {"lang": "es", "value": "Las versiones de HTTP::Session2 anteriores a la 1.12 para Perl pueden generar identificadores de sesi\u00f3n d\u00e9biles utilizando la funci\u00f3n rand().\n\nEl generador de identificadores de sesi\u00f3n de HTTP::Session2 devuelve un hash SHA-1 inicializado con la funci\u00f3n rand incorporada, el tiempo de \u00e9poca y el PID. El PID provendr\u00e1 de un peque\u00f1o conjunto de n\u00fameros, y el tiempo de \u00e9poca puede ser adivinado, si no se filtra del encabezado HTTP Date. La funci\u00f3n rand() incorporada no es adecuada para uso criptogr\u00e1fico.\n\nHTTP::Session2 despu\u00e9s de la versi\u00f3n 1.02 intentar\u00e1 usar el dispositivo /dev/urandom para generar un identificador de sesi\u00f3n, pero si el dispositivo no est\u00e1 disponible (por ejemplo, bajo Windows), entonces revertir\u00e1 al m\u00e9todo inseguro descrito anteriormente."}], "id": "CVE-2026-3255", "lastModified": "2026-03-04T15:51:09.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-27T20:21:41.180", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"], "url": "https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Issue Tracking"], "url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Session2/ServerStore.pm#L68"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Issue Tracking"], "url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Session2/Random.pm#L35"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Release Notes"], "url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/02/27/12"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}, {"lang": "en", "value": "CWE-340"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.12)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "HTTP::Session2", "source": "cna", "vendor": "TOKUHIROM"}, "product": "http::session2", "vendor": "tokuhirom"}], "created": "2026-03-02T12:05:01.834427+00:00", "updated": "2026-03-02T12:05:01.834504+00:00", "vendors": ["tokuhirom", "tokuhirom$PRODUCT$http::session2"]}