Nixpkgs security tracker

Untriaged

Permalink CVE-2025-40931

9.1 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

References

Affected products

Apache-Session

=<1.94

Matching in nixpkgs

pkgs.perlPackages.ApacheSession

Persistence framework for session data

nixos-unstable 1.94
- nixpkgs-unstable 1.94
- nixos-unstable-small 1.94
nixos-25.11 1.94
- nixos-25.11-small 1.94
- nixpkgs-25.11-darwin 1.94

pkgs.perl5Packages.ApacheSession

Persistence framework for session data

nixos-unstable 1.94
- nixpkgs-unstable 1.94
- nixos-unstable-small 1.94

pkgs.perl538Packages.ApacheSession

Persistence framework for session data

nixos-25.11 1.94
- nixos-25.11-small 1.94
- nixpkgs-25.11-darwin 1.94

pkgs.perl540Packages.ApacheSession

Persistence framework for session data

nixos-25.11 1.94
- nixos-25.11-small 1.94
- nixpkgs-25.11-darwin 1.94

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.perlPackages.ApacheSession

pkgs.perl5Packages.ApacheSession

pkgs.perl538Packages.ApacheSession

pkgs.perl540Packages.ApacheSession