CVE-2025-40926 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 5, 2026
Plack::Middleware::Session::Simple - Authentication Bypass
Published: March 5, 2026Updated: March 5, 2026Remote Exploitable
Overview
Plack::Middleware::Session::Simple <= 0.04 for Perl contains a broken authentication caused by insecure session ID generation using predictable seeds, letting attackers guess session IDs and gain unauthorized access, exploit requires no special privileges.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can predict session IDs to hijack sessions and gain unauthorized access to user accounts or systems.
Mitigation
Update to the latest version with secure session ID generation.
References
- https://github.com/kazeburo/Plack-Middleware-Session-Simple/pull/4
- https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.04/source/lib/Plack/Middleware/Session/Simple.pm#L43
- https://security.metacpan.org/docs/guides/random-data-for-security.html
- https://www.cve.org/CVERecord?id=CVE-2025-40923
- https://github.com/kazeburo/Plack-Middleware-Session-Simple/commit/760bb358b8f53e52cf415888a4ac858fd99bb24e.patch
Related Resources
Details
- CVE ID
- CVE-2025-40926
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_authentication
- Status
- unconfirmed
CWE
- CWE-338
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H