CVE-2026-3255

MEDIUM EPSS 33.5%
Published Feb 27, 20264mo ago · Modified Mar 4, 20263mo ago
6.5 CVSS 3.1
Medium
Find Similar
Published Feb 27, 2026 4mo ago
Last Modified Mar 4, 2026 3mo ago

Description

HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage. HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.

CVSS Details

Base Score
6.5
Exploitability
3.9
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability Low

Threat Intelligence

EPSS Exploit Probability
33.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-338
CWE-340

Affected Products 1

VendorProductVersionRange
tokuhiromhttp\\ <1.12

References 5

  • openwall.com http://www.openwall.com/lists/oss-security/2026/02/27/12
    Mailing ListThird Party Advisory
  • github.com https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch
    Patch
  • metacpan.org https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Session2/ServerStore.pm#L68
    Issue Tracking
  • metacpan.org https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Session2/Random.pm#L35
    Issue Tracking
  • metacpan.org https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes
    Release Notes

Remediation

  • github.com https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch
    Patch