Apache::SessionX for Perl generates predictable session IDs

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.2

Apache::SessionX for Perl generates predictable session IDs

CVE-2025-40932

Summary

Apache::SessionX for Perl creates session IDs that can be guessed by an attacker. This means unauthorized users may be able to access systems or steal sensitive information. Update to a version of Apache::SessionX that uses a secure session ID generator, or take other measures to protect sensitive data.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
grichter	apache\	\	–

Original title

Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 r...

Original description

Apache::SessionX versions through 2.01 for Perl create insecure session id.

Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

nvd CVSS3.1 8.2

Vulnerability type

CWE-338

CWE-340

https://metacpan.org/release/GRICHTER/Apache-SessionX-2.01/source/SessionX/Gener... Issue Tracking

Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026