Crypt::SaltedHash supply chain generates cryptographic salts using Perl's built‑in rand function, which is designed for general‑purpose random number generation and not for cryptographic use. The predictable output means an attacker can infer or brute‑force the salt values, directly weakening hash uniqueness and enabling hash precomputation or birthday attacks. This vulnerability undermines the confidentiality and integrity of data that relies on salted hashes, such as stored password credentials, and can lead to credential theft or unauthorized access when the library is used in authentication systems.

The vulnerability affects RRWO's Crypt::SaltedHash Perl module versions through 0.09, inclusive. Systems that depend on any of these versions to hash passwords, tokens, or other sensitive data are at risk.

No CVSS score is currently available, and the EPSS score is not disclosed, so the quantitative severity is unknown. However, the lack of a KEV listing does not diminish the potential impact for applications that use salted hashes for security. If a malicious actor can influence input to the library or gain access to the hashing process, they may predict salts and efficiently perform offline attacks against stored hashes. The vulnerability is exploitable in any environment where the module is loaded and used to create hashed credentials, making the attack vector nominally local or script‑based within the affected application.