The vulnerability resides in Apache::Session::Generate::SHA256 modules before version 1.3.19, which create session identifiers by hashing the output of Perl's built‑in rand() function together with the current epoch time and process ID, and then hashing that result again. These sources are deterministic and provide very low entropy, allowing an attacker to predict or brute‑force valid session identifiers. The ability to guess session IDs can grant unauthorized access to protected resources if an application accepts the session token as authenticated credentials. The weakness is mapped to CWE‑340 – Use of Predictable Random Number Generators – and CWE‑338 – Hard‑Coded Key or Secret.

All installations of Apache::Session::Generate::SHA256 prior to version 1.3.19 for Perl are affected. The fix is included in 1.3.19, which falls back to a secure random number generator provided by Crypt::URandom whenever available. No other vendor or product versions are listed as affected in the CNA data.

The CVSS score is 6.5, indicating moderate severity, and the EPSS score is < 1%, indicating a very low but non‑zero exploitation probability. The vulnerability is not listed in CISA's KEV catalog, suggesting that publicly available exploit evidence is not currently documented. However, the nature of the flaw – predictable session ID generation – means that an attacker who can observe or guess the epoch time and PID space can manually generate likely session tokens or conduct a brute‑force search against the deterministic set, potentially achieving session hijacking without requiring remote code execution or insider privileges. Consequently, the risk remains significant for systems that rely on this module for session management.