CVE-2026-3255

HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage. HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch	Patch
https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Session2/ServerStore.pm#L68	Issue Tracking
https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Session2/Random.pm#L35	Issue Tracking
https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes	Release Notes
http://www.openwall.com/lists/oss-security/2026/02/27/12	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tokuhirom:http\:\:session2:*:*:*:*:*:perl:*:*

History

No history.

Information

Published : 2026-02-27 20:21

Updated : 2026-03-04 15:51

NVD link : CVE-2026-3255

Mitre link : CVE-2026-3255

CVE.ORG link : CVE-2026-3255

JSON object : View

Products Affected

tokuhirom

http\

CWE

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE-340

Generation of Predictable Numbers or Identifiers

{"id": "CVE-2026-3255", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-02-27T20:21:41.180", "references": [{"url": "https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch", "tags": ["Patch"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Session2/ServerStore.pm#L68", "tags": ["Issue Tracking"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Session2/Random.pm#L35", "tags": ["Issue Tracking"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes", "tags": ["Release Notes"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "http://www.openwall.com/lists/oss-security/2026/02/27/12", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-338"}, {"lang": "en", "value": "CWE-340"}]}], "descriptions": [{"lang": "en", "value": "HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.\n\nThe HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.\n\nHTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above."}, {"lang": "es", "value": "Las versiones de HTTP::Session2 anteriores a la 1.12 para Perl pueden generar identificadores de sesi\u00f3n d\u00e9biles utilizando la funci\u00f3n rand().\n\nEl generador de identificadores de sesi\u00f3n de HTTP::Session2 devuelve un hash SHA-1 inicializado con la funci\u00f3n rand incorporada, el tiempo de \u00e9poca y el PID. El PID provendr\u00e1 de un peque\u00f1o conjunto de n\u00fameros, y el tiempo de \u00e9poca puede ser adivinado, si no se filtra del encabezado HTTP Date. La funci\u00f3n rand() incorporada no es adecuada para uso criptogr\u00e1fico.\n\nHTTP::Session2 despu\u00e9s de la versi\u00f3n 1.02 intentar\u00e1 usar el dispositivo /dev/urandom para generar un identificador de sesi\u00f3n, pero si el dispositivo no est\u00e1 disponible (por ejemplo, bajo Windows), entonces revertir\u00e1 al m\u00e9todo inseguro descrito anteriormente."}], "lastModified": "2026-03-04T15:51:09.683", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tokuhirom:http\\:\\:session2:*:*:*:*:*:perl:*:*", "vulnerable": true, "matchCriteriaId": "D09565CB-6117-4D7D-BDFB-60715A2A058E", "versionEndExcluding": "1.12"}], "operator": "OR"}]}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}