CVE-2025-40915 (GCVE-0-2025-40915)

Vulnerability from cvelistv5 – Published: 2025-06-11 17:09 – Updated: 2025-06-11 17:57
VLAI?
Summary
Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens. That version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.
Severity ?
7 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
CWE
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
Assigner
References
Impacted products
Vendor Product Version
GRYPHON Mojolicious::Plugin::CSRF Affected: 1.03 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-40915",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-11T17:52:49.542565Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-11T17:57:28.026Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Mojolicious-Plugin-CSRF",
          "product": "Mojolicious::Plugin::CSRF",
          "repo": "https://github.com/gryphonshafer/Mojo-Plugin-CSRF",
          "vendor": "GRYPHON",
          "versions": [
            {
              "status": "affected",
              "version": "1.03",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eMojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\u003c/div\u003e\u003cdiv\u003eThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.\u003c/div\u003e"
            }
          ],
          "value": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\n\nThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62: Cross Site Request Forgery"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-11T17:09:50.664Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03"
        },
        {
          "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Users of version 1.03 should upgrade to 1.04."
            }
          ],
          "value": "Users of version 1.03 should upgrade to 1.04."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-40915",
    "datePublished": "2025-06-11T17:09:50.664Z",
    "dateReserved": "2025-04-16T09:05:34.361Z",
    "dateUpdated": "2025-06-11T17:57:28.026Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40915\",\"sourceIdentifier\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"published\":\"2025-06-11T17:15:42.793\",\"lastModified\":\"2025-06-12T16:06:20.180\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\\n\\nThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.\"},{\"lang\":\"es\",\"value\":\"Mojolicious::Plugin::CSRF 1.03 para Perl utiliza una fuente de n\u00fameros aleatorios d\u00e9bil para generar tokens CSRF. Esta versi\u00f3n del m\u00f3dulo genera tokens como un MD5 del ID del proceso, la hora actual y una \u00fanica llamada a la funci\u00f3n integrada rand().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-338\"}]}],\"references\":[{\"url\":\"https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-40915\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-11T17:52:49.542565Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-11T17:56:38.434Z\"}}], \"cna\": {\"title\": \"Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-62\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-62: Cross Site Request Forgery\"}]}], \"affected\": [{\"repo\": \"https://github.com/gryphonshafer/Mojo-Plugin-CSRF\", \"vendor\": \"GRYPHON\", \"product\": \"Mojolicious::Plugin::CSRF\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.03\", \"versionType\": \"custom\"}], \"packageName\": \"Mojolicious-Plugin-CSRF\", \"collectionURL\": \"https://cpan.org/modules\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Users of version 1.03 should upgrade to 1.04.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Users of version 1.03 should upgrade to 1.04.\", \"base64\": false}]}], \"references\": [{\"url\": \"https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03\"}, {\"url\": \"https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\\n\\nThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eMojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\u003c/div\u003e\u003cdiv\u003eThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-338\", \"description\": \"CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator\"}]}], \"providerMetadata\": {\"orgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"shortName\": \"CPANSec\", \"dateUpdated\": \"2025-06-11T17:09:50.664Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-40915\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-11T17:57:28.026Z\", \"dateReserved\": \"2025-04-16T09:05:34.361Z\", \"assignerOrgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"datePublished\": \"2025-06-11T17:09:50.664Z\", \"assignerShortName\": \"CPANSec\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.