CVE-2025-1828

HIGH EPSS 29.4%
Published Mar 11, 20251y ago · Modified Jun 17, 20261w ago
8.8 CVSS 3.1
High
Find Similar
Published Mar 11, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider. In particular, Windows versions of perl will encounter this issue by default.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
29.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-331
CWE-338

Affected Products 1

VendorProductVersionRange
timleggecrypt\\≥1.05  –  ≤1.55

References 3

  • github.com https://github.com/perl-Crypt-OpenPGP/Crypt-Random/commit/1f8b29e9e89d8d083fd025152e76ec918136cc05
    Patch
  • github.com https://github.com/perl-Crypt-OpenPGP/Crypt-Random/pull/1
    Issue TrackingPatch
  • perldoc.perl.org https://perldoc.perl.org/functions/rand
    Patch

Remediation

  • github.com https://github.com/perl-Crypt-OpenPGP/Crypt-Random/commit/1f8b29e9e89d8d083fd025152e76ec918136cc05
    Patch
  • github.com https://github.com/perl-Crypt-OpenPGP/Crypt-Random/pull/1
    Issue TrackingPatch
  • perldoc.perl.org https://perldoc.perl.org/functions/rand
    Patch