CVE-2025-1860: 
Linux Debian vulnerability analysis and mitigation

Data::Entropy for Perl version 0.007 and earlier contains a security vulnerability where it uses the rand() function as the default source of entropy for cryptographic functions. This vulnerability was discovered and disclosed in March 2025, affecting the Data::Entropy Perl module. The issue has been assigned CVE-2025-1860 (NVD).

The vulnerability stems from the use of Perl's built-in rand() function as the default entropy source, which is not cryptographically secure. The issue is present in the module's source code where it initializes the default entropy source using the rand() function for generating key material (MetaCPAN Source). The vulnerability has been classified as CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (NVD).

The use of a cryptographically weak random number generator in cryptographic functions can lead to predictable outputs, potentially compromising the security of any cryptographic operations that rely on this entropy source. This could affect the randomness and security of cryptographic operations performed using the Data::Entropy module (Perl Docs).

The vulnerability has been fixed in version 0.008-1 of the package. Debian has released security updates for affected versions, with version 0.007-3.1+deb11u1 available for Debian 11 (bullseye). Users are recommended to upgrade their libdata-entropy-perl packages to the fixed versions (Debian Security).