This vulnerability arises because the HTTP::Session module uses a non‑cryptographic rand function to seed SHA‑1 or MD5 hashes for session identifiers. The low‑entropy components—process ID, epoch time, and a predictable rand output—allow attackers to guess or reproduce session IDs. If an attacker obtains a valid session token, they can impersonate a legitimate user, leading to unauthorized access or data tampering. Because session IDs are the gateway to a user’s state, the weakness directly threatens confidentiality and integrity of the application.

The flaw affects the Perl package HTTP::Session provided by developer KTAT, specifically all releases through version 0.53. Servers or web applications that rely on this module for managing user sessions are potentially vulnerable. The vulnerability applies to any environment running Perl with this module, regardless of operating system, unless the developer has overridden the default ID generator.

The CVSS score of 9.8 represents a high severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation at present. However, the weakness can be exploited remotely by any client capable of guessing the predictable session token, especially if the HTTP Date header leaks the epoch time. Because the default configuration is what most users will have, a vulnerability in the session Id generator can be leveraged without requiring privileged access or additional software. The issue is not listed in the CISA KEV catalog, but the potential to cause session hijacking makes timely patching essential.