PAGI::Middleware::Session::Store::Cookie versions up to 0.001003 generate random bytes for the encryption IV in an insecure manner by using a fallback built‑in random function when reading from /dev/urandom fails. This unreliable source produces a predictable initialization vector, which undermines the confidentiality of the encrypted session cookie. As a result, an attacker who can observe or influence the cookie may be able to decrypt and tamper with session data stored in the cookie, potentially leading to unauthorized access or elevation of privileges within the web application.

The vulnerability affects the Perl module pagI::Middleware::Session::Store::Cookie distributed by the vendor JJNAPIORK. Versions through 0.001003 are impacted, while the updated release 0.001004 and later contain the fix.

The CVSS score of 7.5 indicates a high severity, yet the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog, which further reduces the observed threat level. The attack scenario inferred from the description requires an attacker to obtain or influence the encrypted cookie; with a predictable IV, decryption becomes feasible, enabling tampering. While the primary vector is local or remote via web application traffic that transmits the cookie, the defined weakness hinges on the randomness flaw rather than an immediate network exploit. Therefore, the risk is significant enough to warrant prompt action but the probability of rapid exploitation remains low.