CVE-2025-40905 PUBLISHED

WWW::OAuth 1.000 and earlier for Perl uses insecure rand() function for cryptographic functions

Assigner: CPANSec
Reserved: 16.04.2025 Published: 12.02.2026 Updated: 12.02.2026

WWW::OAuth 1.000 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

Product Status

Vendor	DBOOK
Product	WWW::OAuth
Versions	Default: unaffected affected from 0 to 1.000 (incl.)

Solutions

Upgrade to WWW::OAuth 1.001 or higher

Credits

Robert Rothenberg (RRWO) finder

References

https://perldoc.perl.org/functions/rand
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://metacpan.org/release/DBOOK/WWW-OAuth-1.000/source/lib/WWW/OAuth.pm#L86

Problem Types

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE