CVE-2025-2814

MEDIUM

Crypt::CBC <3.05 - Info Disclosure

Title source: llm

Description

Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to use the insecure rand() function.

References (4)

[Various Sources] https://metacpan.org/dist/Crypt-CBC/source/lib/Crypt/CBC.pm#L777

[Various Sources] https://perldoc.perl.org/functions/rand

[Various Sources] https://security.metacpan.org/docs/guides/random-data-for-security.html

[Patch] https://github.com/lstein/Lib-Crypt-CBC/commit/37111f7cd894bcec46156ba7f40a49c126ebf535.patch

Scores

CVSS v3 4.0

EPSS 0.0012

EPSS Percentile 30.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-329 CWE-331 CWE-338

Status published

Products (1)

LDS/Crypt::CBC 1.21 - 3.05

Published Apr 13, 2025

Tracked Since Feb 18, 2026