Vulnerability DatabaseCVE-2025-27551

CVE-2025-27551:
Linux Debian vulnerability analysis and mitigation

Overview

CVE-2025-27551 affects DBIx::Class::EncodedColumn up to version 0.00032, discovered and disclosed on March 26, 2025. The vulnerability exists in the password hashing mechanism where the software uses the rand() function, which is not cryptographically secure, for generating salt values. This issue specifically affects the program file lib/DBIx/Class/EncodedColumn/Digest.pm (NVD).

Technical details

The vulnerability stems from the use of Perl's built-in rand() function for generating salt values in password hashing operations. The rand() function is seeded by only 32-bits (4 bytes), making its output predictable and unsuitable for cryptographic purposes. The CVSS v3.1 base score is 4.0 (MEDIUM) with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating local access is required and the impact is primarily on confidentiality (NVD, CPAN Security).

Impact

The use of a weak random number generator for salt generation could potentially make password hashes more predictable, thereby weakening the overall security of the password storage system. This could lead to increased vulnerability to password cracking attempts (CPAN Security).

Mitigation and workarounds

The issue has been fixed in version 0.00032 of DBIx::Class::EncodedColumn, released on March 25, 2025. The fix replaces the rand() function with Crypt::URandom and Crypt::URandom::Token for secure salt generation. Users are advised to upgrade to version 0.00032 or later (Changes, Debian Changes).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

4

Score

Published March 26, 2025

Severity MEDIUM

CNA Score 4.0

Affected Technologies

Linux Debian
Linux Fedora

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 4.8

Exploitation Probability (EPSS) N/A

Affected packages and libraries

perl-Crypt-URandom-Token
perl-Crypt-URandom-Token-tests

Sources

NVD
Debian Security Tracker
- Debian 11 Severity MEDIUMNo FixAdded at: Mar 27, 2025
- Debian 13 Severity MEDIUMHas FixAdded at: Mar 27, 2025
- Debian 14 Severity MEDIUMHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity MEDIUMHas FixAdded at: Nov 18, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Linux Debian vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-23884	HIGH	7.7	Linux Debian	freerdp3	No	No	Jan 19, 2026
CVE-2026-23883	HIGH	7.7	Linux Debian	freerdp3	No	No	Jan 19, 2026
CVE-2026-23534	HIGH	7.7	Linux Debian	freerdp-devel	No	No	Jan 19, 2026
CVE-2026-23533	HIGH	7.7	Linux Debian	freerdp3	No	No	Jan 19, 2026
CVE-2026-23732	MEDIUM	5.5	Linux Debian	freerdp-libs	No	No	Jan 19, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2025-27551: Linux Debian vulnerability analysis and mitigation