High severity8.6NVD Advisory· Published Aug 11, 2025· Updated Apr 15, 2026

CVE-2025-40920

Description

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

Patches

ad2c03aad954

https://github.com/perl-catalyst/catalyst-authentication-credential-httpvia osv

4482f4920571

https://github.com/perl-catalyst/catalyst-authentication-credential-httpvia osv

PR #1

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.openwall.com/lists/oss-security/2025/08/12/1nvd
datatracker.ietf.org/doc/html/rfc7616nvd
datatracker.ietf.org/doc/html/rfc9562nvd
github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18nvd
github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1nvd
metacpan.org/release/ETHER/Catalyst-Authentication-Credential-HTTP-1.018/source/lib/Catalyst/Authentication/Credential/HTTP.pmnvd
security.metacpan.org/patches/C/Catalyst-Authentication-Credential-HTTP/1.018/CVE-2025-40920-r1.patchnvd

News mentions

No linked articles in our index yet.

cvss	0.559
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000