CVE-2025-15604 (GCVE-0-2025-15604)
Vulnerability from cvelistv5 – Published: 2026-03-28 18:43 – Updated: 2026-04-01 14:13
VLAI?
Title
Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions
Summary
Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.
In versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Before version 6.06, there was no fallback when /dev/urandom was not available.
Before version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.
This function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-28T20:06:46.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/28/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:12:25.901323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:13:01.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Amon2",
"product": "Amon2",
"programFiles": [
"lib/Amon2/Util.pm"
],
"programRoutines": [
{
"name": "Amon2::Util::random_string"
}
],
"repo": "https://github.com/tokuhirom/Amon",
"vendor": "TOKUHIROM",
"versions": [
{
"lessThan": "6.17",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.\n\nIn versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nBefore version 6.06, there was no fallback when /dev/urandom was not available.\n\nBefore version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.\n\nThis function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-28T18:43:56.318Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/TOKUHIROM/Amon2-6.17/diff/TOKUHIROM/Amon2-6.16#lib/Amon2/Util.pm"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TOKUHIROM/Amon2-6.17/changes"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/tokuhirom/Amon/pull/135"
},
{
"tags": [
"technical-description"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Amon2 version 6.17 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-15604",
"datePublished": "2026-03-28T18:43:56.318Z",
"dateReserved": "2026-03-08T23:56:33.670Z",
"dateUpdated": "2026-04-01T14:13:01.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-15604\",\"sourceIdentifier\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"published\":\"2026-03-28T19:16:53.387\",\"lastModified\":\"2026-04-01T15:16:23.170\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.\\n\\nIn versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\\n\\nBefore version 6.06, there was no fallback when /dev/urandom was not available.\\n\\nBefore version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.\\n\\nThis function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.\"},{\"lang\":\"es\",\"value\":\"Las versiones de Amon2 anteriores a la 6.17 para Perl utilizan una implementaci\u00f3n insegura de random_string para funciones de seguridad.\\n\\nEn las versiones 6.06 a la 6.16, la funci\u00f3n random_string intentar\u00e1 leer bytes del dispositivo /dev/urandom, pero si este no est\u00e1 disponible, entonces genera bytes concatenando un hash SHA-1 inicializado con la funci\u00f3n rand() incorporada, el PID y el tiempo de \u00e9poca de alta resoluci\u00f3n. El PID provendr\u00e1 de un peque\u00f1o conjunto de n\u00fameros, y el tiempo de \u00e9poca puede ser adivinado, si no se filtra del encabezado HTTP Date. La funci\u00f3n rand incorporada no es adecuada para uso criptogr\u00e1fico.\\n\\nAntes de la versi\u00f3n 6.06, no hab\u00eda un mecanismo de respaldo cuando /dev/urandom no estaba disponible.\\n\\nAntes de la versi\u00f3n 6.04, la funci\u00f3n random_string utilizaba la funci\u00f3n rand() incorporada para generar una cadena alfanum\u00e9rica de may\u00fasculas y min\u00fasculas.\\n\\nEsta funci\u00f3n puede ser utilizada para generar IDs de sesi\u00f3n, generar secretos para firmar o cifrar datos de sesi\u00f3n de cookie y generar tokens utilizados para la protecci\u00f3n contra la falsificaci\u00f3n de solicitudes entre sitios (CSRF).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-338\"},{\"lang\":\"en\",\"value\":\"CWE-340\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tokuhirom:amon2:*:*:*:*:*:perl:*:*\",\"versionEndExcluding\":\"6.17\",\"matchCriteriaId\":\"0920218A-C374-46FB-A8C8-FC92ACFB73DB\"}]}]}],\"references\":[{\"url\":\"https://github.com/tokuhirom/Amon/pull/135\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://metacpan.org/release/TOKUHIROM/Amon2-6.17/changes\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Product\"]},{\"url\":\"https://metacpan.org/release/TOKUHIROM/Amon2-6.17/diff/TOKUHIROM/Amon2-6.16#lib/Amon2/Util.pm\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Product\"]},{\"url\":\"https://security.metacpan.org/docs/guides/random-data-for-security.html\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/28/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/28/4\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-28T20:06:46.387Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-15604\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-01T14:12:25.901323Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-01T14:12:56.077Z\"}}], \"cna\": {\"title\": \"Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-62\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-62 Cross Site Request Forgery\"}]}, {\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}, {\"capecId\": \"CAPEC-586\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-586 Object Injection\"}]}], \"affected\": [{\"repo\": \"https://github.com/tokuhirom/Amon\", \"vendor\": \"TOKUHIROM\", \"product\": \"Amon2\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.17\", \"versionType\": \"custom\"}], \"packageName\": \"Amon2\", \"programFiles\": [\"lib/Amon2/Util.pm\"], \"collectionURL\": \"https://cpan.org/modules\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"Amon2::Util::random_string\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to Amon2 version 6.17 or later.\"}], \"references\": [{\"url\": \"https://metacpan.org/release/TOKUHIROM/Amon2-6.17/diff/TOKUHIROM/Amon2-6.16#lib/Amon2/Util.pm\"}, {\"url\": \"https://metacpan.org/release/TOKUHIROM/Amon2-6.17/changes\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://github.com/tokuhirom/Amon/pull/135\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://security.metacpan.org/docs/guides/random-data-for-security.html\", \"tags\": [\"technical-description\"]}], \"x_generator\": {\"engine\": \"cpansec-cna-tool 0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.\\n\\nIn versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\\n\\nBefore version 6.06, there was no fallback when /dev/urandom was not available.\\n\\nBefore version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.\\n\\nThis function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-340\", \"description\": \"CWE-340 Generation of Predictable Numbers or Identifiers\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-338\", \"description\": \"CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator\"}]}], \"providerMetadata\": {\"orgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"shortName\": \"CPANSec\", \"dateUpdated\": \"2026-03-28T18:43:56.318Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-15604\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-01T14:13:01.746Z\", \"dateReserved\": \"2026-03-08T23:56:33.670Z\", \"assignerOrgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"datePublished\": \"2026-03-28T18:43:56.318Z\", \"assignerShortName\": \"CPANSec\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…