CVE-2025-1860: Data::Entropy for Perl uses insecure rand() function for cryptographic functions

Description

Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

Classification

CVE ID: CVE-2025-1860

Problem Types

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Affected Products

Vendor: ZEFRAM

Product: Data::Entropy

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 8.02% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1860
https://perldoc.perl.org/functions/rand
https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.pm#L80

Timeline

2025-03-28 02:40:18 UTC
CVE

Data::Entropy for Perl uses insecure rand() function for cryptographic functions
2025-04-17 11:30:37 UTC
Tenable Plugins

openSUSE 15 Security Update : perl-Data-Entropy (openSUSE-SU-2025:0123-1)