Crypt::PBKDF2 versions before 0.261630 default to the HMAC‑SHA1 algorithm with only 1000 iterations, a configuration that is no longer considered secure. This weakness allows an attacker to brute‑force or guess stored password hashes much more quickly, potentially compromising user accounts and any system components that rely on those credentials. The flaw is a cryptographic strength weakness as defined by CWE‑916.

Any Perl application that imports the CPAN module Crypt::PBKDF2 from vendor ARODLAND with a version earlier than 0.261630 is affected. Systems using that module to hash or verify passwords—such as web applications, authentication services, or scripts that store hashed credentials—are at risk. The vulnerability is present in the default configuration of the library, so it applies to all installations that have not overridden the algorithm or iteration count.

The likely attack vector is an offline password cracking attempt. Based on the description, it is inferred that an attacker who gains access to hashed credentials or exploits the application’s authentication routine could recover passwords relatively quickly. The risk is significant because the module’s default settings provide insufficient computational effort to resist offline brute‑force attacks. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog, but the CVSS score of 5.3 indicates a moderate level of severity.