Nixpkgs security tracker
NIXPKGS-2026-0558
GitHub issue
published on
Permalink
CVE-2025-40931
9.1 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
by @mweinelt Activity log
- Created suggestion
- @mweinelt accepted
- @mweinelt published on GitHub
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
References
Affected products
Apache-Session
- =<1.94
Matching in nixpkgs
pkgs.perlPackages.ApacheSession
Persistence framework for session data
pkgs.perl5Packages.ApacheSession
Persistence framework for session data
pkgs.perl538Packages.ApacheSession
Persistence framework for session data
pkgs.perl540Packages.ApacheSession
Persistence framework for session data