Smolder for Perl utilizes an insecure random number generator for cryptographic functions, creating a critical vulnerability that compromises the predictability and security of protected data.

Smolder relies on the standard rand() function via the Data::Random library for cryptographic entropy. This function is not cryptographically secure, meaning the resulting "random" values are predictable. This flaw directly impacts the Smolder::DB::Developer component and any cryptographic tokens it generates.

The use of predictable entropy in a cryptographic context results in a CVSS score of 9.1. An attacker could potentially predict session tokens, CSRF tokens, or encryption keys, leading to session hijacking or data decryption. This undermines the entire security posture of the Smolder application and can lead to widespread unauthorized access.

Immediate Action: Update Smolder to a version that utilizes a cryptographically secure pseudo-random number generator (CSPRNG), or manually patch the code to use Bytes::Random::Secure.

Proactive Monitoring: Monitor for session-related attacks or unusual patterns in user activity that might suggest session hijacking or token prediction.

Compensating Controls: Ensure that all sensitive communications are protected by TLS and consider rotating all existing cryptographic keys and secrets after the patch is applied.

Public Exploit Available: No

Cryptographic weaknesses are foundational flaws that require immediate remediation. Organizations using Smolder must move away from version 1.51 and ensure their Perl environment is configured to use secure entropy sources. We recommend a full audit of any tokens generated by the vulnerable version to ensure they are invalidated and regenerated.