Fluid Attacks Database

Description

Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to use the insecure rand() function.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libcrypt-cbc-perl	=2.33-2 \|\| =3.04-1 \|\| =3.04-2 \|\| =3.04-3 \|\| =3.07-1	-
debian 12	libcrypt-cbc-perl	=3.04-3 \|\| =3.07-1	-
debian 13	libcrypt-cbc-perl	=3.04-3 \|\| =3.07-1	-
debian 14	libcrypt-cbc-perl	=3.04-3 \|\| >=0 <3.07-1	3.07-1
rpm rhel7	perl-Crypt-CBC	-	-

Aliases

1. CVE-2025-28142. NVD-2025-28143. OSV-DEBIAN-2025-28144. OSV-2025-28145. SECURITY-TRACKER-CVE-2025-2814

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.