CVE-2025-40920: 
Linux Debian vulnerability analysis and mitigation

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl contain a security vulnerability in their nonce generation mechanism. The vulnerability was discovered on August 11, 2025, and is tracked as CVE-2025-40920. The affected software generates nonces using the Perl Data::UUID library, which does not provide cryptographically secure random number generation (OSS_SECURITY).

The vulnerability stems from the use of Data::UUID library for generating nonces in the authentication process. The technical issues are threefold: Data::UUID does not use a strong cryptographic source for generating UUIDs, it returns v3 UUIDs which are generated from known information and are unsuitable for security purposes as per RFC 9562, and the nonces should be generated from a strong cryptographic source as specified in RFC 7616. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.6 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L (NVD).

The use of predictable or cryptographically weak nonces in the authentication process could potentially allow attackers to compromise the security of the authentication mechanism. This could lead to unauthorized access, as the high CVSS score indicates potential for high confidentiality impact and low integrity and availability impacts (NVD).

A patch has been developed that replaces the Data::UUID library with Crypt::SysRandom for nonce generation. The fix involves using Crypt::SysRandom::randombytes(20) to generate cryptographically secure nonces. Users should upgrade to versions that include this patch ([GITHUBPATCH](https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18.patch)).

The security community has responded promptly to the vulnerability, with NixOS package maintainers already working on applying the patch to their distributions. The fix has been merged into the main repository after security review (GITHUB_PR).