CVE-2025-15604

Published Mar 28, 2026

Last updated 12 hours ago

Perl
Amon2

Overview

Description
Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions. In versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Before version 6.06, there was no fallback when /dev/urandom was not available. Before version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string. This function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.
Source
9b29abf9-4ab0-4765-b253-1875cd9b441e
NVD status
Awaiting Analysis

Weaknesses

9b29abf9-4ab0-4765-b253-1875cd9b441e
CWE-338

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

2

  1. Attention, elevated activities detected targeting TOKUHIROM Amon2 (CVE-2025-15604) https://t.co/Byp9CQbxir

    @vuldb

    29 Mar 2026

    169 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-15604 Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions. In versions 6.06 through 6.16, the random_string function wi… https://t.co/xIGMBmJiU0

    @CVEnew

    29 Mar 2026

    99 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Perl CPAN CVE-2025-15604: Amon2 versions before 6.17 use an insecure random_string implementation for security functions https://t.co/vl2ZSjYQn2 CVE-2026-3256: HTTP::Session versions through 0.53 defaults to using insecurely generated session ids https://t.co/WILUcElIQS

    @oss_security

    29 Mar 2026

    550 Impressions

    0 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.CVE-2024-56406

References

Sources include official advisories and independent security research.