Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Details of issue NIXPKGS-2025-0004

NIXPKGS-2025-0004
published on
Permalink CVE-2025-40920
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 6 months, 4 weeks ago by @Erethon Activity log
  • Created automatic suggestion 8 months ago
  • @Erethon accepted 6 months, 4 weeks ago
  • @Erethon published on GitHub 6 months, 4 weeks ago
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

References

Affected products

Catalyst-Authentication-Credential-HTTP
  • =<1.018

Matching in nixpkgs