What is CVE-2025-2814?

CVE-2025-2814 is a vulnerability in Lds Crypt::cbc, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). Published 2025-04-12.

Is CVE-2025-2814 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Lds Crypt::cbc

CVE-2025-2814

Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'…

EPSS: 0.000 (13.2th percentile) — read the EPSS interpretation.

Affected products

Lds Crypt::cbc — versions 1.21

Weakness classification (CWE)

CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-329 — Generation of Predictable IV with CBC Mode
CWE-331 — Insufficient Entropy

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

perldoc.perl.org/functions/rand
metacpan.org/dist/Crypt-CBC/source/lib/Crypt/CBC.pm
security.metacpan.org/docs/guides/random-data-for-security.html
github.com/lstein/Lib-Crypt-CBC/commit/37111f7cd894bcec46156ba7f40a49c126ebf535… (patch)

Frequently asked questions

What is CVE-2025-2814?: CVE-2025-2814 is a vulnerability in Lds Crypt::cbc, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). Published 2025-04-12.
Is CVE-2025-2814 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.