Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-2814

Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to use the insecure rand() function.

Published

2025-04-13T00:15:14.997

Last Modified

2025-09-05T14:15:44.323

Status

Awaiting Analysis

Source

9b29abf9-4ab0-4765-b253-1875cd9b441e

Severity

CVSSv3.1: 4.0 (MEDIUM)

Weaknesses

Type: Secondary
CWE-329
CWE-331
CWE-338
Type: Secondary
CWE-338

Affected Vendors & Products

References

https://github.com/lstein/Lib-Crypt-CBC/commit/37111f7cd894bcec46156ba7f40a49c126ebf535.patch (9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://metacpan.org/dist/Crypt-CBC/source/lib/Crypt/CBC.pm#L777 (9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://perldoc.perl.org/functions/rand (9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://security.metacpan.org/docs/guides/random-data-for-security.html (9b29abf9-4ab0-4765-b253-1875cd9b441e)