CVE-2025-1860

CVE-2025-1860 is a vulnerability in the Data::Entropy Perl module, affecting versions 0.007 and earlier. The module relies on Perl's rand() function as the default entropy source for cryptographic functions, but rand() is not cryptographically secure, leading to predictable outputs that undermine security. This issue is classified under CWE-331 (Insufficient Entropy) and CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator), with a CVSS v3.1 base score of 7.7.

The vulnerability can be exploited by a local attacker with low attack complexity, requiring no privileges (PR:N), no user interaction (UI:N), and local access (AV:L), resulting in unchanged scope (S:U). Exploitation enables high impacts on confidentiality (C:H) and integrity (I:H) with no availability impact (A:N), potentially allowing attackers to predict or forge cryptographic values such as keys, nonces, or signatures used by applications depending on this module.

Advisories provide guidance on mitigation, including a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00026.html. Additional technical details are available in the affected source code at https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.pm#L80 and Perl's rand() documentation at https://perldoc.perl.org/functions/rand.