Skip to main content

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

CVE-2025-40920 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2025-40920

CVE-2025-40920

HIGH8.6

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces

Published Aug 11, 2025

Modified 1 months ago

Details

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library.

Data::UUID does not use a strong cryptographic source for generating UUIDs.
Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562.
The nonces should be generated from a strong cryptographic source, as per RFC 7616.

References

http://www.openwall.com/lists/oss-security/2025/08/12/1

https://datatracker.ietf.org/doc/html/rfc7616#section-5.12

https://datatracker.ietf.org/doc/html/rfc9562#name-security-considerations

https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18

https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1

https://metacpan.org/release/ETHER/Catalyst-Authentication-Credential-HTTP-1.018/source/lib/Catalyst/Authentication/Credential/HTTP.pm#L391

https://security.metacpan.org/patches/C/Catalyst-Authentication-Credential-HTTP/1.018/CVE-2025-40920-r1.patch

https://www.cve.org/CVERecord?id=CVE-2025-40920

CVSS Analysis

CVSS v3.1

8.6

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

LowI:L

Availability

LowA:L

8.6/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Weakness Type (CWE)

Other

Ecosystems

Timeline

PublishedAug 11, 2025

ModifiedJan 17, 2026