Crypt::ScryptKDF versions through 0.010 use the built‑in rand() function as a fallback when no cryptographically secure pseudo‑random number generator module is available. This results in deterministic, low entropy values for the salt or key material used in the scrypt key derivation function, thereby weakening the security guarantees of any system that relies on the module for generating cryptographic keys. A compromised key could expose encrypted data or authentication secrets to an attacker.

The vulnerability affects the Crypt::ScryptKDF Perl library from the MIK vendor, specifically versions 0.010 and earlier. Any system that imports or employs this module in its cryptographic stack without an alternative CSPRNG module installed is susceptible.

The EPSS score of 0.00017 indicates a very low probability of exploitation, and the vulnerability is not listed in the KEV catalog, implying no known active attacks. However, the lack of a secure random source creates a serious weakness in key generation, potentially allowing an attacker who can observe the derived keys to predict them. Based on the description, it is inferred that the attack likely requires local or remote code execution that can load the vulnerable library, but the risk remains significant in contexts that depend on strong key material. The CVSS score is 4.8, yet the described weakness aligns with CWE-338, which typically carries high severity.