Crypt::DSA versions prior to 1.20 generate cryptographic seeds with Perl’s built‑in rand function, which is deterministic and therefore predictable. The predictable seeds expose cryptographic key material to an attacker who can anticipate the chosen prime numbers and thus the resulting digital signature keys. The vulnerability falls under the CWE‑331 category of predictable random number generation and can lead to a loss of confidentiality and integrity of signed messages.

The affected component is the Perl Crypt::DSA module supplied by TIMLEGGE. Any installation using a version older than 1.20 that relies on this module for generating DSA keys is vulnerable. The official remediation is to upgrade to version 1.20 or later, as stated by the vendor.

The CVSS score is not provided in the current data, and the EPSS score is unavailable, indicating limited publicly known exploitation activity. The vulnerability does not appear in the CISA KEV catalog. Because the flaw requires the vulnerable module to be used in key generation, an attacker would need the ability to influence key creation or access the environment where the module runs. While no exploits have been reported, the fundamental weakness would enable an attacker to precompute keys if they can observe or predict the seed sequence, making the risk significant for systems that use this module for critical signing operations.