Net::OAuth: Net::OAuth use of weak PRNG (CVE-2025-22376) #shorts

Summary

In today's podcast, we cover CVE-2025-22376, a critical security vulnerability in the Net::OAuth package for Perl. This vulnerability, identified as a CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator, affects all versions up to 0.28. It highlights the risks associated with the use of weak pseudo-random number generators in cryptographic operations.

Product details

Net::OAuth is a Perl package used for implementing OAuth, a popular authorization framework that allows third-party services to exchange user data without requiring them to know user credentials. The vulnerability affects the Net::OAuth::Client component responsible for generating unique nonces, which are vital for securing communication sessions.

Vulnerability type summary

This vulnerability falls under the CWE-338 category, characterized by the use of a cryptographically weak pseudo-random number generator (PRNG). In this case, Net::OAuth uses a 32-bit integer generated by Perl's built-in rand() function as the default nonce, which lacks the necessary cryptographic strength for secure operations.

Details of the vulnerability

The issue arises from the use of a weak PRNG to generate nonces, which are supposed to be unique and unpredictable values used to secure interactions and prevent replay attacks. The weak 32-bit integers generated by rand() are predictable and lack sufficient entropy, making the system vulnerable to attacks. The vulnerability affects all versions of the Net::OAuth package for Perl up to 0.28. Users must update to version 0.29 or later to mitigate this issue. Security patches have been released in Fedora 40 and 41 to address this vulnerability.

Conclusion

CVE-2025-22376 is a reminder of the importance of using cryptographically strong algorithms for generating random numbers in security applications. Developers and systems administrators using Net::OAuth in Perl must ensure they have updated their systems to the latest secure version to protect against potential attacks. Stay tuned for updates and always prioritize patching vulnerabilities in your systems to maintain a secure environment.

Watch the full video on YouTube: CVE-2025-22376

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-22376
Description
In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong.
Provider
mitre
CWE / problem types
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Affected Software Versions
n/a:n/a:[{'status': 'affected', 'version': 'n/a'}]
Date Published
2025-01-03T00:00:00
Last Updated
2025-01-21T17:49:18.077Z