CVE-2025-40920

Summary

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library.

  • Data::UUID does not use a strong cryptographic source for generating UUIDs.
  • Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562.
  • The nonces should be generated from a strong cryptographic source, as per RFC 7616.

Affected Software

VendorProductVersion RangeStatus
ETHERCatalyst::Authentication::Credential::HTTP0.06 <= 1.018affected

Weaknesses

  • CWE-340: CWE-340 Generation of Predictable Numbers or Identifiers
  • CWE-338: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References