{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-40915", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2025-04-16T09:05:34.361Z", "datePublished": "2025-06-11T17:09:50.664Z", "dateUpdated": "2025-06-11T17:57:28.026Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Mojolicious-Plugin-CSRF", "product": "Mojolicious::Plugin::CSRF", "repo": "https://github.com/gryphonshafer/Mojo-Plugin-CSRF", "vendor": "GRYPHON", "versions": [{"status": "affected", "version": "1.03", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.</div><div>That version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.</div>"}], "value": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\n\nThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62: Cross Site Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2025-06-11T17:09:50.664Z"}, "references": [{"url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03"}, {"url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Users of version 1.03 should upgrade to 1.04."}], "value": "Users of version 1.03 should upgrade to 1.04."}], "source": {"discovery": "UNKNOWN"}, "title": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-11T17:52:49.542565Z", "id": "CVE-2025-40915", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-11T17:57:28.026Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-40915", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-11T17:52:49.542565Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-11T17:56:38.434Z"}}], "cna": {"title": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62: Cross Site Request Forgery"}]}], "affected": [{"repo": "https://github.com/gryphonshafer/Mojo-Plugin-CSRF", "vendor": "GRYPHON", "product": "Mojolicious::Plugin::CSRF", "versions": [{"status": "affected", "version": "1.03", "versionType": "custom"}], "packageName": "Mojolicious-Plugin-CSRF", "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Users of version 1.03 should upgrade to 1.04.", "supportingMedia": [{"type": "text/html", "value": "Users of version 1.03 should upgrade to 1.04.", "base64": false}]}], "references": [{"url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03"}, {"url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\n\nThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.", "supportingMedia": [{"type": "text/html", "value": "<div>Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.</div><div>That version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.</div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2025-06-11T17:09:50.664Z"}}}, "cveMetadata": {"cveId": "CVE-2025-40915", "state": "PUBLISHED", "dateUpdated": "2025-06-11T17:57:28.026Z", "dateReserved": "2025-04-16T09:05:34.361Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2025-06-11T17:09:50.664Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\n\nThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function."}, {"lang": "es", "value": "Mojolicious::Plugin::CSRF 1.03 para Perl utiliza una fuente de n\u00fameros aleatorios d\u00e9bil para generar tokens CSRF. Esta versi\u00f3n del m\u00f3dulo genera tokens como un MD5 del ID del proceso, la hora actual y una \u00fanica llamada a la funci\u00f3n integrada rand()."}], "id": "CVE-2025-40915", "lastModified": "2025-06-12T16:06:20.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-06-11T17:15:42.793", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}