CVE-2025-27552: 
Linux Debian vulnerability analysis and mitigation

DBIx::Class::EncodedColumn contains a security vulnerability (CVE-2025-27552) related to the use of the non-cryptographically secure rand() function for password hash salting. The vulnerability affects DBIx::Class::EncodedColumn versions up to 0.00032 and is specifically associated with the program files Crypt/Eksblowfish/Bcrypt.pm (NVD, Debian Tracker).

The vulnerability stems from the use of Perl's built-in rand() function for generating salt values in password hashing operations. The rand() function is cryptographically weak as it is seeded by only 32-bits (4 bytes), making its output predictable. The vulnerability has been assigned CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator) and has received a CVSS 3.1 base score of 4.0 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD, Security Guide).

The use of a weak random number generator for salt generation could potentially make password hashes more susceptible to cracking attempts, as the predictability of the salt values reduces the effectiveness of the password hashing mechanism (Security Guide).

The vulnerability has been fixed in DBIx::Class::EncodedColumn version 0.00032, which implements the use of a secure random source for salts. Users should upgrade to this version or later. For Debian systems, the fix is available in version 0.00020-3 in the sid and trixie releases (Changes Log, Debian Tracker).