Fluid Attacks Database

Description

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libcatalyst-authentication-credential-http-perl	=1.018-1 \|\| =1.018-2 \|\| =1.018-3 \|\| =1.018-4 \|\| =1.019-1	-
debian 12	libcatalyst-authentication-credential-http-perl	=1.018-2 \|\| =1.018-3 \|\| =1.018-4 \|\| =1.019-1	-
debian 13	libcatalyst-authentication-credential-http-perl	=1.018-3 \|\| =1.018-4 \|\| =1.019-1	-
debian 14	libcatalyst-authentication-credential-http-perl	=1.018-3 \|\| >=0 <1.018-4	1.018-4

Aliases

1. CVE-2025-409202. NVD-2025-409203. OSV-DEBIAN-2025-409204. OSV-2025-409205. SECURITY-TRACKER-CVE-2025-40920

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.