High severity7.5NVD Advisory· Published Sep 17, 2025· Updated Apr 15, 2026

CVE-2025-40933

Description

Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely.

Session ids are generated using an MD5 hash of the epoch time and a call to the built-in rand function. The epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

Affected products

Pachno/Apache Authany Cookieinferred
Range: <=0.201
Package: https://pypi.org/project/apache-authany-cookie

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

metacpan.org/release/KGOLDOV/Apache2-AuthAny-0.201/source/lib/Apache2/AuthAny/Cookie.pmnvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000