CVE-2025-40920

NameCVE-2025-40920
DescriptionCatalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1110887

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcatalyst-authentication-credential-http-perl (PTS)bullseye1.018-1vulnerable
bookworm1.018-2vulnerable
trixie1.018-3vulnerable
forky, sid1.018-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcatalyst-authentication-credential-http-perlsource(unstable)1.018-41110887

Notes

[trixie] - libcatalyst-authentication-credential-http-perl <no-dsa> (Minor issue)
[bookworm] - libcatalyst-authentication-credential-http-perl <no-dsa> (Minor issue)
[bullseye] - libcatalyst-authentication-credential-http-perl <postponed> (Minor issue; can be fixed in next update)
https://lists.security.metacpan.org/cve-announce/msg/31902514/
https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1
Fixed by: https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18

Search for package or bug name: Reporting problems