Home / Vulnerability Intelligence / CVE-2025-40931

CVE-2025-40931 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 5, 2026

Apache::Session::Generate::MD5 - Authentication Bypass

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

Apache::Session::Generate::MD5 <= 1.94 for Perl contains a broken authentication caused by insecure session id generation using predictable MD5 seeds, letting attackers predict session ids and gain unauthorized access, exploit requires no special conditions.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Attackers can predict session IDs, potentially allowing unauthorized access to user sessions and sensitive data.

Mitigation

Update to the latest version with secure session id generation.

References

http://www.openwall.com/lists/oss-security/2026/03/05/3
https://metacpan.org/dist/Apache-Session/source/lib/Apache/Session/Generate/MD5.pm#L27
https://security.metacpan.org/docs/guides/random-data-for-security.html

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-40931
Severity: Critical
CVSS Score: 9.1
Type: broken_authentication
Status: unconfirmed

CWE

CWE-338

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N