Plack::Middleware::Session::Simple Insecure Session ID Generation Vulnerability

A vulnerability exists in Plack::Middleware::Session::Simple versions through 0.04 for Perl, where session IDs are generated insecurely. The default generator creates a SHA-1 hash that is seeded with the built-in rand function, the epoch time, and the process ID (PID). This method is flawed because the PID is drawn from a limited range of values, and the epoch time can be predicted unless it is disclosed in the HTTP Date header. The use of the rand function further compromises security, as it is not suitable for cryptographic purposes. This predictability in session IDs could potentially allow an attacker to gain unauthorized access to systems. This middleware aims to be compatible with Plack::Middleware::Session, which has a related security vulnerability (CVE-2025-40923).

Impact

The vulnerability leads to the generation of predictable session IDs, which can be exploited to gain unauthorized access to systems.

Reproduction

The vulnerability can be reproduced by using Plack::Middleware::Session::Simple in a Perl application. When the default session ID generator is used, it creates session IDs that are predictable and insecure. This can be verified by observing the session IDs generated for different users or sessions, which will show a pattern that can be exploited.

Remediation

Users can upgrade to Plack::Middleware::Session::Simple version 0.35 or later, where this vulnerability has been addressed by using Crypt::SysRandom to generate session IDs securely.