CVE-2025-40916 | THREATINT

Description

Mojolicious::Plugin::CaptchaPNG version 1.05 for Perl uses a weak random number source for generating the captcha. That version uses the built-in rand() function for generating the captcha text as well as image noise, which is insecure.

Reserved 2025-04-16 | Published 2025-06-16 | Updated 2025-06-16 | Assigner CPANSec

Problem types

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

CWE-804 Guessable CAPTCHA

Product status

Default status

unaffected

1.05

affected

References

metacpan.org/...NG-1.05/lib/Mojolicious/Plugin/CaptchaPNG.pm

metacpan.org/...N/Mojolicious-Plugin-CaptchaPNG-1.06/changes

metacpan.org/pod/perlfunc

security.metacpan.org/...uides/random-data-for-security.html

cve.org (CVE-2025-40916)

nvd.nist.gov (CVE-2025-40916)

Download JSON