CVE-2025-40905

EUVD-2025-206911
WWW::OAuth 1.000 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
PRNG
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA-ADPADP
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
Debian logo
Debian Releases
Debian Product
Codename
libwww-oauth-perl
bookworm
no-dsa
bullseye
postponed
forky
1.003-1
fixed
sid
1.003-1
fixed
trixie
1.002-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libwww-oauth-perl
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
not-affected
Common Weakness Enumeration
References
https://metacpan.org/release/DBOOK/WWW-OAuth-1.000/source/lib/WWW/OAuth.pm#L86
https://perldoc.perl.org/functions/rand
https://security.metacpan.org/docs/guides/random-data-for-security.html
http://www.openwall.com/lists/oss-security/2026/02/13/1