Description
HTTP::Session versions before 0.54 for Perl defaults to using insecurely generated session ids.

HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.
Published: 2026-03-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HTTP::Session generates session identifiers using an insecure scheme, defaulting to the HTTP::Session::ID::SHA1 module. The ID is created by hashing a seed comprised of the output of Perl’s built-in rand, the process ID, and the current high‑resolution epoch time. Because the PID value comes from a limited set and the epoch time can be approximated or leaked via the HTTP Date header, and because rand is not cryptographically secure, the resulting identifiers contain very low entropy. The distribution also includes an HTTP::Session::ID::MD5 implementation that uses the same generation flow, further expanding the surface area. This flaw allows an attacker to predict or brute‑force valid session tokens, enabling session hijacking and impersonation of legitimate users, which compromises the confidentiality and integrity of user data.

Affected Systems

The issue affects the Perl package HTTP::Session provided by developer KTAT. All releases before version 0.54 are vulnerable. Perl applications that rely running on Linux, Windows, or other operating systems, are at risk unless they override the default ID generator. Note that HTTP::Session version for the package and APT recommends migrating to an alternative solution.

Risk and Exploitability

Based on the description and the metrics, the flaw allows an attacker to predict or brute‑force session identifiers using the insecure seed. The EPSS score of <1% indicates the exploitation likelihood is very low at present, though the CVSS score of 9.8 remains high. The vulnerability is not listed in CISA’s KEV catalog, meaning no known widespread exploitation has been reported. Attackers could still leverage the predictability for targeted hijacking attempts, but the low EPSS suggests such attacks are currently uncommon.

Generated by OpenCVE AI on June 29, 2026 at 09:24 UTC.

Remediation

Vendor Solution

Upgrade to version 0.54 or later. Note that HTTP::Session as of version 0.54 is deprecated. Users should migrate their applications to alternative solutions.


OpenCVE Recommended Actions

  • Upgrade HTTP::Session to version 0.54 or later, acknowledging that 0.54 is deprecated and planning a migration to a modern session library.
  • If upgrade is delayed, configure HTTP::Session explicitly to use the HTTP::Session::ID::Urandom generator, which pulls entropy from /dev/urandom, or employ a custom generator based on Crypt::SysRandom.
  • For environments lacking /dev/urandom, implement a secure ID module that sources randomness from a cryptographically secure RNG such as Crypt::URandom.
  • Replace the Perl application’s reliance on HTTP::Session entirely with a proven, actively maintained session management solution, ensuring the new library provides cryptographically strong ID generation by default.

Generated by OpenCVE AI on June 29, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
Description HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead. HTTP::Session versions before 0.54 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.
Title HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids HTTP::Session versions before 0.54 for Perl defaults to using insecurely generated session ids
References

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Ktat http\
CPEs cpe:2.3:a:ktat:http\:\:session:*:*:*:*:*:perl:*:*
Vendors & Products Ktat http\
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Ktat
Ktat http::session
Vendors & Products Ktat
Ktat http::session

Sat, 28 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
References

Sat, 28 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.
Title HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids
Weaknesses CWE-338
CWE-340
References

Subscriptions

Ktat Http::session Http\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-29T06:50:16.274Z

Reserved: 2026-02-26T11:59:23.755Z

Link: CVE-2026-3256

cve-icon Vulnrichment

Updated: 2026-03-28T20:06:47.537Z

cve-icon NVD

Status : Modified

Published: 2026-03-28T19:16:56.570

Modified: 2026-06-17T10:43:17.177

Link: CVE-2026-3256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T09:30:17Z

Weaknesses
  • CWE-338

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-340

    Generation of Predictable Numbers or Identifiers