Description
Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely.

The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times.

The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations.

The epoch time can be guessed by an attacker, and may be leaked in the HTTP header.

The process id comes from a small set of numbers, and workers may have sequential process ids.

The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications.

Predictable session ids could allow an attacker to gain access to systems.
Published: 2026-04-30
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exists in the Perl module Dancer::Session::Abstract released through version 1.3522. Session identifiers are created by summing the character codepoints of the absolute pathname, the process identifier, the epoch time, and multiple calls to Perl's built-in rand() function, then concatenating the result three times. Because the pathname can be known or guessed, the epoch time can be inferred or leaked via HTTP headers, the process ID comes from a limited set of numbers, and rand() is seeded with a weak 32‑bit value, the generated session IDs are highly predictable. This falls under CWE-338 and CWE-340, in which a cryptographically insecure random number generator is used.

Affected Systems

The affected product is BIGPRESH's Dancer::Session::Abstract, any installation of the module through version 1.3522. All applications that rely on the default session ID generation mechanism within that version range are impacted; no specific operating system or deployment environment was mentioned, so the threat covers all environments where this module is active.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate severity. The EPSS score is not available, indicating limited public exploitation data, and the defect is not listed in the CISA KEV catalog. An attacker can exploit this weakness by guessing or brute‑forcing session identifiers, especially when the application uses standard installation locations that reveal the pathname, exposes epoch time in HTTP headers, or runs with process IDs that are sequential. The existence of an official patch mitigates the risk by improving the randomness of session ID construction.

Generated by OpenCVE AI on May 1, 2026 at 05:12 UTC.

Remediation

Vendor Workaround

Apply the linked patch.

OpenCVE Recommended Actions

  • Apply the linked patch (CVE-2026-5080-r1) to Dancer::Session::Abstract to replace the insecure random number generation logic
  • Replace the session ID generator with a cryptographically secure source, such as Math::Random::Secure or similar libraries
  • Avoid leaking epoch time in HTTP responses and use non‑standard, non‑guessable application directories to reduce path‑based predictability

Generated by OpenCVE AI on May 1, 2026 at 05:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Bigpresh
Bigpresh dancer::session::abstract
Vendors & Products Bigpresh
Bigpresh dancer::session::abstract

Thu, 30 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Description Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times. The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations. The epoch time can be guessed by an attacker, and may be leaked in the HTTP header. The process id comes from a small set of numbers, and workers may have sequential process ids. The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications. Predictable session ids could allow an attacker to gain access to systems.
Title Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely
Weaknesses CWE-338
CWE-340
References

Subscriptions

Bigpresh Dancer::session::abstract
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-30T18:29:20.778Z

Reserved: 2026-03-28T19:06:14.484Z

Link: CVE-2026-5080

cve-icon Vulnrichment

Updated: 2026-04-30T18:29:20.778Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T12:16:24.333

Modified: 2026-04-30T19:16:10.587

Link: CVE-2026-5080

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:26Z

Weaknesses