CVE-2019-11808
Description
Ratpack versions before 1.6.1 generate session IDs using a cryptographically weak PRNG (ThreadLocalRandom), allowing attackers to predict session IDs if they can determine the server start time and obtain one session ID.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ratpack versions before 1.6.1 generate session IDs using a cryptographically weak PRNG (ThreadLocalRandom), allowing attackers to predict session IDs if they can determine the server start time and obtain one session ID.
Vulnerability
Description Ratpack versions prior to 1.6.1 generate session IDs using the JDK's ThreadLocalRandom, a cryptographically weak pseudo-random number generator [1]. This flaw means that session IDs are not sufficiently random and can be predicted if an attacker can narrow down the server start time and obtain a single session ID value [2]. The default DefaultSessionIdGenerator class used ThreadLocalRandom to produce the two 64-bit values for a UUID, making the output deterministic within a small window [3].
Exploitation
An attacker must first determine a small window for the server start time (e.g., through server response headers or other timing information) and then obtain at least one valid session ID. With this information, they can theoretically compute the sequence of session IDs generated by the server, allowing them to predict future session IDs or reconstruct past ones [1][2]. The attack does not require authentication but does require network access to observe session IDs and knowledge of the server start time.
Impact
Successful exploitation enables session hijacking: an attacker can impersonate a legitimate user by using a predicted session ID to gain unauthorized access to the user's session. This could lead to data exposure, privilege escalation, or other malicious actions depending on the application's session management [4]. The vulnerability is particularly critical for applications using server-side sessions, as client-side sessions do not rely on the session ID for security [4].
Mitigation
The vulnerability is fixed in Ratpack version 1.6.1, which replaces ThreadLocalRandom with UUID.randomUUID(), sourcing entropy from the system's secure random generator [3][4]. Users unable to upgrade can mitigate by binding a custom SessionIdGenerator implementation based on the fixed version [4]. The fix also marks the generator as @Singleton to ensure consistent behavior [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.ratpack:ratpack-sessionMaven | < 1.6.1 | 1.6.1 |
io.ratpack:ratpack-javaMaven | < 1.6.1 | 1.6.1 |
io.ratpack:ratpack-groovyMaven | < 1.6.1 | 1.6.1 |
Affected products
4- Ratpack/Ratpackdescription
- ghsa-coords3 versionspkg:maven/io.ratpack/ratpack-groovypkg:maven/io.ratpack/ratpack-javapkg:maven/io.ratpack/ratpack-session
< 1.6.1+ 2 more
- (no CPE)range: < 1.6.1
- (no CPE)range: < 1.6.1
- (no CPE)range: < 1.6.1
Patches
1f2b63eb82dd7Use UUID directly for generating session IDs
2 files changed · +4 −4
ratpack-session/src/main/java/ratpack/session/internal/DefaultSessionIdGenerator.java+3 −4 modified@@ -16,18 +16,17 @@ package ratpack.session.internal; +import com.google.inject.Singleton; import io.netty.util.AsciiString; import ratpack.session.SessionIdGenerator; import java.util.UUID; -import java.util.concurrent.ThreadLocalRandom; +@Singleton public class DefaultSessionIdGenerator implements SessionIdGenerator { public AsciiString generateSessionId() { - ThreadLocalRandom random = ThreadLocalRandom.current(); - UUID uuid = new UUID(random.nextLong(), random.nextLong()); - return AsciiString.of(uuid.toString()); + return AsciiString.cached(UUID.randomUUID().toString()); } }
ratpack-session/src/main/java/ratpack/session/SessionModule.java+1 −0 modified@@ -194,6 +194,7 @@ SessionStore sessionStoreAdapter(@Named(LOCAL_MEMORY_SESSION_CACHE_BINDING_NAME) } @Provides + @Singleton SessionIdGenerator sessionIdGenerator() { return new DefaultSessionIdGenerator(); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-54mg-vgrp-mwx9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11808ghsaADVISORY
- github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42dghsax_refsource_MISCWEB
- github.com/ratpack/ratpack/issues/1448ghsax_refsource_MISCWEB
- github.com/ratpack/ratpack/releases/tag/v1.6.1ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.