CVE-2025-2814

4.0 MEDIUM

Published: April 13, 2025 Modified: April 15, 2026

Description

Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to use the insecure rand() function.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/lstein/Lib-Crypt-CBC/commit/37111f7cd894bcec46156ba7f40a49c126ebf535.patch

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

https://metacpan.org/dist/Crypt-CBC/source/lib/Crypt/CBC.pm#L777

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

https://perldoc.perl.org/functions/rand

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

https://security.metacpan.org/docs/guides/random-data-for-security.html

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

4.0 / 10.0

EPSS (Exploit Probability)

0.1%

30th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-329 CWE-331 CWE-338 CWE-338

Related CVEs

CVE-2026-7041 3.7

CVE-2026-7039 7.8

CVE-2026-7038 3.3

CVE-2026-7037 9.8

CVE-2026-7036 7.3