The vulnerability arises from the module's use of an insecure source of randomness when generating the initialization vector for encrypting session cookies. The module reads directly from /dev/urandom and falls back to the built‑in rand function when that read fails. Because the built‑in rand provides weak, deterministic output, an attacker can predict the IV. Predictable IVs reduce the strength of the encryption and allow the attacker to decrypt the encrypted data or inject crafted content. Consequently, session data could be read or modified, leading to credential theft or privilege escalation. This weakness is a classic example of CWE‑338 (Cryptographic Failure) and CWE‑1204 (Insecure Randomness).

The affected product is JJNAPIORK's PAGI::Middleware::Session::Store::Cookie for Perl, versions up to and including 0.001003. Programs that import this module, such as web applications written in Perl that rely on cookie‑based session storage, are vulnerable unless they upgrade. The vulnerability is relevant on operating systems lacking /dev/urandom, for example Windows, where the fallback mechanism is triggered. Systems that run earlier Perl distributions on any OS are also impacted when the module is loaded.

Although there is no CVSS, EPSS, or KEV entry, the impact is significant for any application that depends on cookie encryption for session integrity. The attack vector requires the attacker to construct a malicious cookie; this is feasible via a typical web request. Once the IV is predictable, the attacker can decrypt the cookie or forge a valid session. Because the weakness is in the cryptographic routine, an exploitation effort is moderate; knowledge of the module’s behavior is sufficient. Upgrading to 0.001004 disables the insecure random source and restores proper IV generation, eliminating the risk.