Home

Description

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key.

PUBLISHED Reserved 2026-05-26 | Published 2026-06-12 | Updated 2026-06-12 | Assigner CPANSec

Problem types

CWE-208 Observable Timing Discrepancy

Product status

Default status
unaffected

Any version before 0.261630
affected

Timeline

2017-12-11:Issue reported as pull request
2026-06-11:Version 0.261630 released with a fix

References

www.openwall.com/lists/oss-security/2026/06/12/3

github.com/arodland/Crypt-PBKDF2/pull/6 issue-tracking

metacpan.org/...t-PBKDF2-0.161520/source/lib/Crypt/PBKDF2.pm

metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes release-notes

cve.org (CVE-2017-20240)

nvd.nist.gov (CVE-2017-20240)

Download JSON