Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1814+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2025-15618: Perl Payment Module Uses Insecure
CVE-2025-15618: Perl Payment Module Uses Insecure

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2025-15618

CVE-2025-15618: Perl Payment Module Uses Insecure

Business::OnlinePayment::StoredTransaction through version 0.01 for Perl generates its secret key using an MD5 hash of a single rand() call — a...

Dylan H.

Security Team

April 1, 2026
6 min read

Affected Products

  • Business::OnlinePayment::StoredTransaction <= 0.01 (Perl/CPAN)

Executive Summary

CVE-2025-15618 is a critical cryptographic weakness (CVSS 9.1) in the Perl CPAN module Business::OnlinePayment::StoredTransaction through version 0.01. The module generates its internal secret key by computing the MD5 hash of a single call to Perl's built-in rand() function — a method that is entirely unsuitable for cryptographic use.

CVSS Score: 9.1 (Critical)

Perl's rand() is a pseudorandom number generator seeded with a predictable value (typically the current time). Combined with MD5, the resulting key space is trivially small and brute-forceable. Any attacker who can observe or interact with a system using this module — even with limited timing information — may be able to reconstruct the secret key and forge or decrypt stored transaction records.


Vulnerability Overview

AttributeValue
CVE IDCVE-2025-15618
CVSS Score9.1 (Critical)
TypeCryptographic Weakness / Insecure Randomness
Attack VectorNetwork
Privileges RequiredNone
User InteractionNone
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactNone
Published2026-03-31
Patch AvailableNo — module deprecated at v0.01

Affected Products

ProductAffected VersionsRemediation
Business::OnlinePayment::StoredTransaction (Perl/CPAN)All versions through 0.01Remove or replace module — no patch available

Technical Analysis

Root Cause

The module generates a secret key using the following pattern:

# Pseudocode representation of the vulnerable key generation
use Digest::MD5 qw(md5_hex);
my $secret_key = md5_hex(rand());

This is fundamentally broken for two reasons:

  1. Perl's rand() is not cryptographically secure. It is a linear congruential or Mersenne Twister pseudorandom number generator seeded with the current time (or a fixed seed if srand() has not been called). An attacker with approximate knowledge of when the module was initialised can enumerate the possible seed values in a fraction of a second.

  2. A single rand() call produces at most 2^32 to 2^53 unique values depending on the platform, giving an extremely limited key space compared to what any cryptographic operation requires.

  3. MD5 is not a key derivation function. Even if the input were random, using raw MD5 without salt, iteration, or a proper KDF (such as PBKDF2, bcrypt, or Argon2) does not produce a cryptographically safe key.

Attack Flow

1. Attacker identifies a system using Business::OnlinePayment::StoredTransaction
2. Attacker determines approximate startup time of the application (e.g. via process listing,
   uptime data, log timestamps, or web server response headers)
3. Attacker enumerates plausible rand() seeds across a time window
4. For each candidate seed: compute MD5(rand()) to derive the predicted secret key
5. Attacker tests candidate keys against captured encrypted/authenticated transaction data
6. Correct key found — attacker can now forge, decrypt, or tamper with stored transactions

Why This Is Dangerous

Stored payment transaction modules hold or process sensitive financial data:

  • Card tokens or partial card data stored for recurring billing
  • Transaction authentication codes used to verify payment records
  • Session or authorization tokens for payment processor callbacks
  • Stored customer identifiers tied to payment methods

A compromised secret key allows an attacker to forge transaction records, decrypt stored payment data, and potentially bypass payment authorisation checks — with serious financial and compliance consequences.


Impact Assessment

Impact AreaDescription
Secret Key RecoveryAttacker reconstructs the secret key via brute-force of seeded rand() output
Transaction ForgeryWith the key, attackers can forge valid stored transaction records
Data DecryptionEncrypted stored transaction data becomes readable
PCI DSS ExposureAny application storing card data with this module is at risk of PCI DSS violation
Financial FraudForged transactions may be used to authorise fraudulent payments

Affected Ecosystem

This module is part of the Business::OnlinePayment family on CPAN — a widely used Perl payment processing abstraction layer. Applications built on the Perl ecosystem for e-commerce, subscription billing, and payment gateway integration may use this module. It is particularly common in legacy Perl web applications running on Apache/mod_perl stacks.


Immediate Remediation

Step 1: Identify Usage

# Check if the module is installed
perl -MBusiness::OnlinePayment::StoredTransaction -e 'print "installed\n"' 2>/dev/null
 
# Check CPAN installations
cpan -l | grep StoredTransaction
 
# Search for usage in your application code
grep -r "StoredTransaction" /var/www/ /opt/app/ --include="*.pl" --include="*.pm"

Step 2: Remove or Replace the Module

There is no patched version of this module. The only remediation is to remove it and replace it with a properly implemented alternative:

# Remove via cpanm
cpanm --uninstall Business::OnlinePayment::StoredTransaction
 
# Or via CPAN shell
perl -MCPAN -e 'CPAN::Shell->uninstall("Business::OnlinePayment::StoredTransaction")'

Step 3: Replace with Cryptographically Secure Key Generation

If you need to generate secret keys in Perl, use a cryptographically secure source:

# Correct approach: use /dev/urandom or Crypt::URandom
use Crypt::URandom qw(urandom);
use Digest::SHA qw(sha256_hex);
 
# Generate 32 bytes of cryptographically secure randomness
my $raw_key = urandom(32);
my $secret_key = sha256_hex($raw_key);
 
# Or using MIME::Base64 for a URL-safe representation
use MIME::Base64 qw(encode_base64url);
my $secret_key = encode_base64url(urandom(32));

Step 4: Rotate All Compromised Keys

If the module was in use, all keys it generated must be treated as compromised:

# Find and regenerate any keys or tokens created by the vulnerable module
# Invalidate all existing stored transaction tokens
# Force re-authorisation for any stored payment methods
# Notify your payment processor if card data may be affected

Step 5: Review for PCI DSS Compliance

If your application processes payment card data:

  1. Engage a Qualified Security Assessor (QSA) to assess the scope of the exposure
  2. File a self-assessment questionnaire update if required
  3. Notify your acquiring bank if stored card data may have been exposed
  4. Consider whether a data breach notification is required under applicable law

Secure Key Generation Reference

MethodSecurity LevelUse Case
rand() (Perl built-in)Insecure — do NOT use for secretsSimulation, non-security uses
Crypt::URandomCryptographically secureSecret keys, tokens, nonces
Data::GUIDUnique, not cryptographically strongIdentifiers only
/dev/urandom directlyCryptographically secureAny security-sensitive value
Bytes::Random::SecureCryptographically secureCPAN-standard secure random

Post-Remediation Checklist

  1. Remove Business::OnlinePayment::StoredTransaction from all systems
  2. Audit all stored transaction keys for signs of compromise
  3. Rotate all keys generated by the vulnerable module
  4. Replace with secure key generation using Crypt::URandom or /dev/urandom
  5. Review all other uses of Perl's rand() in security-sensitive contexts
  6. Notify stakeholders if payment data may have been exposed
  7. Update application security scanning to flag insecure random usage in Perl

References

  • NVD — CVE-2025-15618
  • CPAN — Business::OnlinePayment::StoredTransaction
  • Perl Documentation — rand()
  • CPAN — Crypt::URandom (secure alternative)
  • CPAN — Bytes::Random::Secure (secure alternative)

Related Reading

  • CVE-2026-4176: Perl Compress::Raw::Zlib Critical
  • CVE-2026-8507: Crypt::OpenSSL::PKCS12 Heap OOB Write — CVSS
  • Mar 31 Digest: Axios npm RAT, Claude Code Source Leaked
#CVE-2025-15618#Perl#CPAN#Cryptography#Weak Random#Online Payment#Supply Chain

Related Articles

CVE-2011-10043: Perl Module::Load Arbitrary Module Injection Resurfaces

A decade-old CVSS 9.8 flaw in Perl's Module::Load (before 0.22) allows attackers to load arbitrary modules outside @INC via '::'-prefixed names. Now formally assigned and published to NVD, prompting renewed patching urgency.

5 min read

CVE-2026-9733: Mojolicious OAuth2 Weak PRNG Enables CSRF Session Hijacking

A critical flaw in the Mojolicious::Plugin::Web::Auth::OAuth2 Perl module uses a predictable SHA-1 state derived from epoch time and rand(), allowing...

4 min read

CVE-2026-8507: Crypt::OpenSSL::PKCS12 Heap OOB Write — CVSS

A critical heap out-of-bounds write vulnerability in Crypt::OpenSSL::PKCS12 for Perl (versions through 1.94) can be triggered by parsing a malformed...

5 min read
Back to all Security Alerts