The WebDyne::Session module for Perl creates session identifiers by hashing a value that originates from the built‑in rand() function. The rand() seed is built from the process ID, the current epoch time, and an object reference address; however, because the underlying random number generator is only 32 bits and inherently predictable, the resulting MD5 hash is also predictable. This predictable session ID generation exposes applications to session hijacking or session fixation attacks, allowing an attacker to impersonate legitimate users or gain unauthorized access to protected resources. The weakness is documented as CWE‑338 and CWE‑340, reflecting the use of an insecure pseudo‑random number generator for security purposes.

Any Perl web application that incorporates the ASPEER WebDyne::Session module version 2.075 or older is affected, as is any system using WebDyne::Session versions 1.042 and earlier from the separate distribution. The vulnerability specifically targets the session‑ID generation routine in these modules.

The lack of a publicly available EPSS score and the absence of the vulnerability from the CISA KEV catalog indicate no known exploitation yet. Nonetheless, the deterministic nature of the identifier generator gives attackers a straightforward attack path: a remote attacker can craft or brute‑force ID values to hijack sessions or elevate privileges. While the current risk depends on an attacker’s ability to guess or brute‑force the predictable IDs, the impact of successful exploitation could be significant, affecting confidentiality, integrity, and availability of the affected web application.