CVE-2026-5084

WebDyne::Session versions through 2.075 for Perl generates the session id insecurely

Assigner: CPANSec
Reserved: 28.03.2026 Published: 11.05.2026 Updated: 11.05.2026

WebDyne::Session versions through 2.075 for Perl generates the session id insecurely.

The session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based on the process id, the epoch time and the reference address of the object, but this information will have no effect on the overall quality of the seed of the message digest.

The rand function is seeded by 32-bits and is predictable. It is considered unsuitable for cryptographic purposes.

Predictable session ids could allow an attacker to gain access to systems.

Note that WebDyne::Session versions 1.042 and earlier appear to be in separate distributions from WebDyne.

Product Status

Vendor	ASPEER
Product	WebDyne::Session
Versions	Default: unaffected affected from 0 to 2.075 (incl.)

Vendor

ASPEER

Product

WebDyne::Session

Versions

Default: unaffected

affected from 0 to 2.075 (incl.)

References

Problem Types

CWE-340 Generation of Predictable Numbers or Identifiers CWE
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator CWE

Impacts

CAPEC-102 Session Sidejacking

CVE-2026-5084 PUBLISHED

WebDyne::Session versions through 2.075 for Perl generates the session id insecurely

Product Status

References

Problem Types

Impacts