#VU106276 Use of insufficiently random values in Data-Entropy - CVE-2025-1860

Cybersecurity Help s.r.o.

Published: 2025-03-31

Vulnerability identifier: #VU106276

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-1860

CWE-ID: CWE-330

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Data-Entropy
Other software / Other software solutions

Vendor: ZEFRAM

Description

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists due to software uses the rand() function as the default source of entropy, which is not cryptographically secure. A remote attacker can bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Data-Entropy: 0.000 - 0.007

External links
https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.pm#L80

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 42 update for perl-Data-Entropy

Fedora 40 update for perl-Data-Entropy

Fedora EPEL 8 update for perl-Data-Entropy

Fedora EPEL 9 update for perl-Data-Entropy

Fedora 41 update for perl-Data-Entropy

Use of insufficiently random values in Data::Entropy for Perl