QwikSec

Security Database

CVE

CWE

Training

CVE-2025-40920

Published: Aug 11, 2025

Modified: Jan 17, 2026

PUBLISHED

Description

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

Vendor	Product	Versions
ETHER	Catalyst::Authentication::Credential::HTTP	affected `0.06 - <= 1.018`

Weaknesses (CWE)

References

https://security.metacpan.org/patches/C/Catalyst-Authentication-Credential-HTTP/1.018/CVE-2025-40920-r1.patch

patch

https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1

issue-tracking

https://metacpan.org/release/ETHER/Catalyst-Authentication-Credential-HTTP-1.018/source/lib/Catalyst/Authentication/Credential/HTTP.pm#L391

https://datatracker.ietf.org/doc/html/rfc9562#name-security-considerations

https://datatracker.ietf.org/doc/html/rfc7616#section-5.12

https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.