CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-40926

CVSS 9.8v3.1pub. 2026-03-05upd. 2026-03-12

Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predictable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.

🤖 AI Analysis
How it works

The default session identifier generator creates a SHA-1 hash seeded with Perl's built-in rand function, epoch time, and process number (PID). The PID comes from a limited set of values, epoch time can be guessed or leaked through an HTTP Date header, and the built-in rand function is not suitable for cryptographic applications. The combination of these factors makes the generated session identifiers predictable and can be reproduced by an attacker without knowledge of secret data.

Impact

An attacker can predict or guess the correct session identifier and then gain unauthorized access to accounts and resources protected by the session — without needing to know the user's password.

Mitigation & patch

Plack::Middleware::Session::Simple should be updated to version 0.05 or later, which introduces a cryptographically secure session identifier generator. The patch is available in the project repository on GitHub.

Who is affected

Plack::Middleware::Session::Simple in versions prior to 0.05 for Perl

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Kazeburo Plack\

    APP
    Kazeburo
    \
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-40562HIGH7.5ten sam vendor

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle ...