Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions
Summary
| CVE | CVE-2025-15604 |
|---|---|
| State | PUBLISHED |
| Assigner | CPANSec |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-28 19:16:53 UTC |
| Updated | 2026-04-01 15:16:23 UTC |
| Description | Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions. In versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Before version 6.06, there was no fallback when /dev/urandom was not available. Before version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string. This function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.000440000 probability, percentile 0.135570000 (date 2026-04-01)
Problem Types: CWE-338 | CWE-340 | CWE-340 CWE-340 Generation of Predictable Numbers or Identifiers | CWE-338 CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | ADP | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/tokuhirom/Amon/pull/135 | 9b29abf9-4ab0-4765-b253-1875cd9b441e | github.com | Issue Tracking, Patch |
| www.openwall.com/lists/oss-security/2026/03/28/4 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| metacpan.org/release/TOKUHIROM/Amon2-6.17/changes | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | Product |
| security.metacpan.org/docs/guides/random-data-for-security.html | 9b29abf9-4ab0-4765-b253-1875cd9b441e | security.metacpan.org | Third Party Advisory |
| metacpan.org/release/TOKUHIROM/Amon2-6.17/diff/TOKUHIROM/Amon2-6.16 | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | Product |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: Upgrade to Amon2 version 6.17 or later.
There are currently no legacy QID mappings associated with this CVE.