{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40926", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2025-04-16T09:05:34.362Z", "datePublished": "2026-03-05T01:24:34.151Z", "dateUpdated": "2026-04-21T02:42:17.296Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Plack-Middleware-Session-Simple", "product": "Plack::Middleware::Session::Simple", "programFiles": ["lib/Plack/Middleware/Session/Simple.pm"], "programRoutines": [{"name": "Plack::Middleware::Session::Simple::sid_generator"}], "repo": "https://github.com/kazeburo/Plack-Middleware-Session-Simple", "vendor": "KAZEBURO", "versions": [{"lessThan": "0.05", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredictable session ids could allow an attacker to gain access to systems.\n\nPlack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-340", "description": "CWE-340 Generation of Predictable Numbers or Identifiers", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-11T23:25:24.779Z"}, "references": [{"url": "https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.04/source/lib/Plack/Middleware/Session/Simple.pm#L43"}, {"tags": ["issue-tracking"], "url": "https://github.com/kazeburo/Plack-Middleware-Session-Simple/pull/4"}, {"tags": ["patch"], "url": "https://github.com/kazeburo/Plack-Middleware-Session-Simple/commit/760bb358b8f53e52cf415888a4ac858fd99bb24e.patch"}, {"tags": ["vendor-advisory", "related", "vdb-entry"], "url": "https://www.cve.org/CVERecord?id=CVE-2025-40923"}, {"tags": ["technical-description"], "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"}, {"tags": ["release-notes"], "url": "https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.05/changes"}], "solutions": [{"lang": "en", "value": "Users are advised to upgrade to version 0.05 or later."}], "source": {"discovery": "UNKNOWN"}, "title": "Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely", "workarounds": [{"lang": "en", "value": "Users are advised to change the sid_generator attribute of Plack::Middleware::Session::Simple to a function that returns a securely generated session id based on a secure source of entropy from the system.\n\nUsers may consider using Plack::Middleware::Session version 0.35 or later."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T16:28:14.069463Z", "id": "CVE-2025-40926", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T02:42:17.296Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-40926", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T16:28:14.069463Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T16:29:20.447Z"}}], "cna": {"title": "Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely", "source": {"discovery": "UNKNOWN"}, "affected": [{"repo": "https://github.com/kazeburo/Plack-Middleware-Session-Simple", "vendor": "KAZEBURO", "product": "Plack::Middleware::Session::Simple", "versions": [{"status": "affected", "version": "0", "lessThan": "0.05", "versionType": "custom"}], "packageName": "Plack-Middleware-Session-Simple", "programFiles": ["lib/Plack/Middleware/Session/Simple.pm"], "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "programRoutines": [{"name": "Plack::Middleware::Session::Simple::sid_generator"}]}], "solutions": [{"lang": "en", "value": "Users are advised to upgrade to version 0.05 or later."}], "references": [{"url": "https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.04/source/lib/Plack/Middleware/Session/Simple.pm#L43"}, {"url": "https://github.com/kazeburo/Plack-Middleware-Session-Simple/pull/4", "tags": ["issue-tracking"]}, {"url": "https://github.com/kazeburo/Plack-Middleware-Session-Simple/commit/760bb358b8f53e52cf415888a4ac858fd99bb24e.patch", "tags": ["patch"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-40923", "tags": ["vendor-advisory", "related", "vdb-entry"]}, {"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html", "tags": ["technical-description"]}, {"url": "https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.05/changes", "tags": ["release-notes"]}], "workarounds": [{"lang": "en", "value": "Users are advised to change the sid_generator attribute of Plack::Middleware::Session::Simple to a function that returns a securely generated session id based on a secure source of entropy from the system.\n\nUsers may consider using Plack::Middleware::Session version 0.35 or later."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredictable session ids could allow an attacker to gain access to systems.\n\nPlack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-340", "description": "CWE-340 Generation of Predictable Numbers or Identifiers"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-11T23:25:24.779Z"}}}, "cveMetadata": {"cveId": "CVE-2025-40926", "state": "PUBLISHED", "dateUpdated": "2026-04-21T02:42:17.296Z", "dateReserved": "2025-04-16T09:05:34.362Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-03-05T01:24:34.151Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kazeburo:plack\\:\\:middleware\\:\\:session\\:\\:simple:*:*:*:*:*:perl:*:*", "matchCriteriaId": "B99A5199-295A-487A-95D0-2DDF94AFDE71", "versionEndExcluding": "0.05", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredictable session ids could allow an attacker to gain access to systems.\n\nPlack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923."}, {"lang": "es", "value": "Las versiones de Plack::Middleware::Session::Simple hasta la 0.04 para Perl generan identificadores de sesi\u00f3n de forma insegura.\n\nEl generador predeterminado de identificadores de sesi\u00f3n devuelve un hash SHA-1 inicializado con la funci\u00f3n rand incorporada, el tiempo epoch y el PID. El PID provendr\u00e1 de un peque\u00f1o conjunto de n\u00fameros, y el tiempo epoch puede ser adivinado, si no se filtra del encabezado HTTP Date. La funci\u00f3n rand incorporada no es adecuada para uso criptogr\u00e1fico.\n\nLos identificadores de sesi\u00f3n predecibles podr\u00edan permitir a un atacante obtener acceso a los sistemas.\n\nPlack::Middleware::Session::Simple est\u00e1 dise\u00f1ado para ser compatible con Plack::Middleware::Session, que tuvo un problema de seguridad similar CVE-2025-40923."}], "id": "CVE-2025-40926", "lastModified": "2026-03-12T00:16:10.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T02:16:39.790", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"], "url": "https://github.com/kazeburo/Plack-Middleware-Session-Simple/commit/760bb358b8f53e52cf415888a4ac858fd99bb24e.patch"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/kazeburo/Plack-Middleware-Session-Simple/pull/4"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Issue Tracking", "Product"], "url": "https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.04/source/lib/Plack/Middleware/Session/Simple.pm#L43"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.05/changes"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Third Party Advisory"], "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2025-40923"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}, {"lang": "en", "value": "CWE-340"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.04]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Plack::Middleware::Session::Simple", "source": "cna", "vendor": "KAZEBURO"}, "product": "plack::middleware::session::simple", "vendor": "kazeburo"}], "analysis": {"en": {"generated_at": "2026-04-22T11:24:31.695733+00:00", "value": {"mitigation_remediation": ["Apply the latest patch by upgrading Plack::Middleware::Session::Simple to version 0.05 or newer", "If a quick upgrade is not possible, configure the sid_generator attribute to a function that returns a securely generated session id based on a secure source of entropy from the system", "Alternatively, replace the module with Plack::Middleware::Session version 0.35 or later, which uses a stronger session id generator"], "summary": {"action": "Patch", "impact": "Insecure session identifiers can lead to session hijacking"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Perl module Plack::Middleware::Session::Simple from vendor KAZEBURO. All releases prior to 0.05 are impacted. The advisory also notes that Plack::Middleware::Session, which has a similar flaw (CVE\u20112025\u201140923), is fixed in version 0.35. Systems that rely on older versions of these modules are at risk.", "description_and_impact": "Plack::Middleware::Session::Simple before 0.05 creates session identifiers by hashing a value that includes the result of Perl's built-in rand function, the current time, and the process ID. The rand function is not cryptographically secure, and the time and PID values are small or guessable, so the resulting SHA\u20111 hash is predictable. An attacker who can guess a valid session id can impersonate a user or hijack an existing session, gaining whatever privileges the legitimate session holds. Therefore this weakness constitutes a critical flaw that directly exposes confidentiality and integrity of user sessions.", "risk_and_exploitability": "The CVSS base score of 9.8 signals critical severity, and the EPSS score of <1% indicates a low but not negligible likelihood of exploitation in the wild. The module is not listed in the CISA KEV catalog, so no known public exploit has been reported yet. However, because the session ids are generated using low\u2011entropy data, an attacker can predict them with limited effort, especially if the HTTP Date header leaks the epoch time. Consequently the risk remains high, and rapid mitigation is recommended."}}}}, "created": "2026-03-06T15:18:03.179281+00:00", "updated": "2026-04-22T11:30:15.373300+00:00", "vendors": ["kazeburo", "kazeburo$PRODUCT$plack::middleware::session::simple"]}