Impact
HTTP::Session generates session identifiers using an insecure scheme, defaulting to the HTTP::Session::ID::SHA1 module. The ID is created by hashing a seed comprised of the output of Perl’s built-in rand, the process ID, and the current high‑resolution epoch time. Because the PID value comes from a limited set and the epoch time can be approximated or leaked via the HTTP Date header, and because rand is not cryptographically secure, the resulting identifiers contain very low entropy. The distribution also includes an HTTP::Session::ID::MD5 implementation that uses the same generation flow, further expanding the surface area. This flaw allows an attacker to predict or brute‑force valid session tokens, enabling session hijacking and impersonation of legitimate users, which compromises the confidentiality and integrity of user data.
Affected Systems
The issue affects the Perl package HTTP::Session provided by developer KTAT. All releases before version 0.54 are vulnerable. Perl applications that rely running on Linux, Windows, or other operating systems, are at risk unless they override the default ID generator. Note that HTTP::Session version for the package and APT recommends migrating to an alternative solution.
Risk and Exploitability
Based on the description and the metrics, the flaw allows an attacker to predict or brute‑force session identifiers using the insecure seed. The EPSS score of <1% indicates the exploitation likelihood is very low at present, though the CVSS score of 9.8 remains high. The vulnerability is not listed in CISA’s KEV catalog, meaning no known widespread exploitation has been reported. Attackers could still leverage the predictability for targeted hijacking attempts, but the low EPSS suggests such attacks are currently uncommon.
OpenCVE Enrichment