CRITICAL🇵🇱 Wersja polska

CVE-2026-3256

CVSS 9.8v3.1pub. 2026-03-28upd. 2026-06-29

HTTP::Session versions before 0.54 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.

🤖 AI Analysis
How it works

HTTP::Session by default uses the HTTP::Session::ID::SHA1 module, which generates session identifiers as an SHA-1 hash powered by Perl's built-in rand() function, the current epoch time with high resolution, and the process number (PID). PID values come from a limited range of numbers, and epoch time can be guessed or read from the HTTP Date header sent by the server. Perl's built-in rand() function is not suitable for cryptographic applications, making the generated identifiers predictable. The HTTP::Session::ID::MD5 module included in the distribution contains an analogous flaw, using only the MD5 hash function instead of SHA-1.

Impact

An attacker can guess or brute-force the correct session identifier of another user, hijack their session, and gain full access to their data and web application functions, violating confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. Until updating, it is recommended to replace the default session identifier generator with an implementation based on a cryptographically secure random source (e.g., according to MetaCPAN Security guidelines: https://security.metacpan.org/docs/guides/random-data-for-security.html) and avoid exposing server time in the HTTP Date header where possible.

Who is affected

HTTP::Session (Perl distribution by KTAT) in versions up to and including 0.53, using the HTTP::Session::ID::SHA1 or HTTP::Session::ID::MD5 modules by default.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Ktat Http\

    APP
    Ktat
    \
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References