Medium severity5.3NVD Advisory· Published Jan 3, 2025· Updated Apr 15, 2026

CVE-2025-22376

Description

In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong.

Patches

18f01ea2686b

https://github.com/keeth/Net-OAuthvia osv

2aa25e04aada

https://github.com/keeth/Net-OAuthvia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

datatracker.ietf.org/doc/html/rfc5849nvd
datatracker.ietf.org/doc/html/rfc5849nvd
github.com/keeth/Net-OAuth/commit/2aa25e04aadab247ae4063363fcee177161e1f42nvd
metacpan.org/release/KGRENNAN/Net-OAuth-0.28/source/lib/Net/OAuth/Client.pmnvd
metacpan.org/release/RRWO/Net-OAuth-0.29/changesnvd
metacpan.org/release/RRWO/Net-OAuth-0.29/diff/KGRENNAN/Net-OAuth-0.28nvd
www.vulnarium.com/blogpost-2025-01-05nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000