Description
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id.

The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604.

Note that the author has deprecated this module.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Insecure session identifier leading to possible session hijacking
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from the generate_session_id function, which uses low‑entropy sources when /dev/urandom is unavailable. The resulting session identifiers are predictable, allowing an attacker to guess or reproduce a session ID and impersonate a legitimate user. This compromise can lead to unauthorized access, session hijacking, and potentially full compromise of the web application. The weakness is a cryptographic random number generation fault, reflected in CWE‑338 and CWE‑340.

Affected Systems

Vulnerable software is the TOKUHIROM Amon2::Plugin::Web::CSRFDefender module for Perl, versions 7.00 through 7.03 inclusive. These versions are part of the Amon2 web framework and have been deprecated by the author. Systems running any of these releases are susceptible to the insecure session ID flaw.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate impact, while the EPSS score of less than 1% suggests low exploitation likelihood in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would typically be carried out remotely against the web application, requiring limited prerequisites beyond the presence of an inconsistent random source. Attackers could read HTTP headers such as Date to narrow the epoch and use predictable DST to reconstruct the ID.

Generated by OpenCVE AI on April 8, 2026 at 17:52 UTC.

Remediation

Vendor Solution

Upgrade to Amon2::Plugin::Web::CSRFDefender version 7.04 or later.

OpenCVE Recommended Actions

  • Upgrade to Amon2::Plugin::Web::CSRFDefender version 7.04 or later.
  • If an upgrade is not immediately feasible, verify that /dev/urandom is accessible on the host; ensure the server can read from it.
  • Consider disabling or replacing the CSRFDefender module with a vetted CSRF protection library.
  • Audit session management configuration for other weak entropy sources and enforce secure random generators.
  • Monitor user sessions for suspicious activity such as unexpected logins or session anomalies.

Generated by OpenCVE AI on April 8, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Tokuhirom amon2\
CPEs cpe:2.3:a:tokuhirom:amon2\:\:plugin\:\:web\:\:csrfdefender:*:*:*:*:*:perl:*:*
Vendors & Products Tokuhirom amon2\

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Tokuhirom
Tokuhirom amon2::plugin::web::csrfdefender
Vendors & Products Tokuhirom
Tokuhirom amon2::plugin::web::csrfdefender

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 06:00:00 +0000

Type Values Removed Values Added
Description Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604. Note that the author has deprecated this module.
Title Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id
Weaknesses CWE-338
CWE-340
References

Subscriptions

Tokuhirom Amon2::plugin::web::csrfdefender Amon2\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-08T16:09:26.357Z

Reserved: 2026-03-28T19:12:35.387Z

Link: CVE-2026-5082

cve-icon Vulnrichment

Updated: 2026-04-08T16:09:22.763Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T06:16:28.993

Modified: 2026-04-23T15:03:31.813

Link: CVE-2026-5082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:52Z

Weaknesses