Nixpkgs security tracker

Untriaged

Permalink CVE-2025-1860

7.7 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 year ago

Data::Entropy for Perl uses insecure rand() function for cryptographic functions

Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

References

https://perldoc.perl.org/functions/rand
https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.…
https://lists.debian.org/debian-lts-announce/2025/03/msg00026.html

Affected products

Data-Entropy

<0.008

Matching in nixpkgs

pkgs.perl538Packages.DataEntropy

Entropy (randomness) management

nixos-unstable 0.007
- nixpkgs-unstable 0.007
- nixos-unstable-small 0.007

pkgs.perl540Packages.DataEntropy