oss-sec mailing list archives

CVE-2026-5082: Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id


From: Robert Rothenberg <rrwo () cpansec org>
Date: Wed, 8 Apr 2026 06:51:21 +0100

========================================================================
CVE-2026-5082                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-5082
  Distribution:  Amon2-Plugin-Web-CSRFDefender
      Versions:  from 7.00 through 7.03

      MetaCPAN: https://metacpan.org/dist/Amon2-Plugin-Web-CSRFDefender
      VCS Repo: https://github.com/tokuhirom/Amon2-Plugin-Web-CSRFDefender


Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for
Perl generate an insecure session id

Description
-----------
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for
Perl generate an insecure session id.

The generate_session_id function will attempt to read bytes from the
/dev/urandom device, but if that is unavailable then it generates bytes
using SHA-1 hash seeded with the built-in rand() function, the PID, and
the high resolution epoch time.  The PID will come from a small set of
numbers, and the epoch time may be guessed, if it is not leaked from
the HTTP Date header. The built-in rand function is unsuitable for
cryptographic usage.

Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of
Amon2, which was vulnerable to insecure session ids due to
CVE-2025-15604.

Note that the author has deprecated this module.

Problem types
-------------
- CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

Solutions
---------
Upgrade to Amon2::Plugin::Web::CSRFDefender version 7.04 or later.


References
----------
https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.03/source/lib/Amon2/Plugin/Web/CSRFDefender/Random.pm
https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.04/changes
https://www.cve.org/CVERecord?id=CVE-2025-15604




Current thread: