CVE-2025-40920 | THREATINT

Description

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

PUBLISHED Reserved 2025-04-16 | Published 2025-08-11 | Updated 2025-08-28 | Assigner CPANSec

Problem types

CWE-340 Generation of Predictable Numbers or Identifiers

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

Product status

Default status

unaffected

0.06

affected

References

security.metacpan.org/...-HTTP/1.018/CVE-2025-40920-r1.patch patch

github.com/...Catalyst-Authentication-Credential-HTTP/pull/1 issue-tracking

metacpan.org/...b/Catalyst/Authentication/Credential/HTTP.pm

datatracker.ietf.org/doc/html/rfc9562

datatracker.ietf.org/doc/html/rfc7616

cve.org (CVE-2025-40920)

nvd.nist.gov (CVE-2025-40920)

Download JSON