Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
HTTP::Session2 for Perl generates weak session IDs on Windows
CVE-2026-3255
Summary
Using HTTP::Session2 versions before 1.12 for Perl on Windows may compromise user session security. This is because the built-in rand function is used to generate session IDs, which is not secure. To protect your users, update to version 1.12 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| tokuhirom | http\ | \ | – |
Original title
HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.
The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in...
Original description
HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.
The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.
HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.
The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.
HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.
nvd CVSS3.1
6.5
Vulnerability type
CWE-338
CWE-340
- https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb... Patch
- https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Sessio... Issue Tracking
- https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Sessio... Issue Tracking
- https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes Release Notes
- http://www.openwall.com/lists/oss-security/2026/02/27/12 Mailing List Third Party Advisory
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026