2380929 – (CVE-2025-40923) CVE-2025-40923 plack-middleware-session: Plack-Middleware-Session insecure session ids

Bug 2380929 (CVE-2025-40923) - CVE-2025-40923 plack-middleware-session: Plack-Middleware-Session insecure session ids

Summary: CVE-2025-40923 plack-middleware-session: Plack-Middleware-Session insecure se...

Keywords:
Status:	NEW
Alias:	CVE-2025-40923
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2381420 2381421
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-16 14:01 UTC by OSIDB Bzimport
Modified:	2025-07-16 18:34 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-16 14:01:48 UTC

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely.

The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

Note You need to log in before you can comment on or make changes to this bug.