Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-15578

CVE-2025-15578: Teejay Maypole Information Disclosure

CVE-2025-15578 is an information disclosure vulnerability in Teejay Maypole versions 2.10 through 2.13 for Perl, caused by insecure session ID generation. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-15578 Overview

CVE-2025-15578 affects the Maypole web application framework for Perl, versions 2.10 through 2.13. The framework generates session identifiers using predictable inputs, specifically the system time, the built-in rand() function, and the process identifier (PID). An attacker can recover the system time from HTTP response headers, narrow the entropy space, and predict valid session IDs. This weakness maps to CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator and enables session hijacking against authenticated users.

Critical Impact

Attackers can predict session identifiers remotely without authentication, hijack active sessions, and gain unauthorized access to user accounts and protected application functionality.

Affected Products

  • Teejay Maypole 2.10 (Perl)
  • Teejay Maypole 2.111 (Perl)
  • Teejay Maypole 2.121 through 2.13 (Perl)

Discovery Timeline

  • 2026-02-16 - CVE-2025-15578 published to NVD
  • 2026-03-10 - Last updated in NVD database

Technical Details for CVE-2025-15578

Vulnerability Analysis

Maypole is a Model-View-Controller (MVC) framework for building web applications in Perl. The framework issues a session identifier to each client to track authenticated state across HTTP requests. Predictable session IDs allow remote attackers to bypass authentication by guessing valid identifiers belonging to other users.

The weakness is rooted in the seeding strategy used by Maypole::Session. Each of the three seed components offers limited entropy and is partially observable. An attacker who measures the server clock through the Date response header can constrain the time component to a narrow window. The PID is bounded by the operating system maximum, and Perl's rand() is not a cryptographically secure pseudo-random number generator.

Combined, these inputs produce a search space small enough for offline brute force. The attacker iterates candidate seeds, regenerates session IDs, and submits each as a session cookie until the application accepts one.

Root Cause

The session generation routine in lib/Maypole/Session.pm mixes low-entropy values rather than reading from a cryptographically secure source such as /dev/urandom or Crypt::URandom. Reference: MetaCPAN Maypole Session Source.

Attack Vector

The attack requires only network access to the target application. The adversary first issues a benign HTTP request to capture the Date header and approximate the server clock. The adversary then enumerates candidate PIDs and rand() outputs, computes the resulting session ID for each combination, and replays each candidate as an authentication cookie. A successful match grants full access to the victim's session.

No verified public exploit code is available for this issue at the time of writing.

Detection Methods for CVE-2025-15578

Indicators of Compromise

  • High volumes of HTTP requests carrying sequential or near-sequential session cookie values originating from a single source address.
  • Repeated 401, 403, or session-invalid responses from a client immediately followed by an authenticated 200 response using a different session ID.
  • Concurrent active sessions for the same user account from disparate geographic locations or user-agent strings.

Detection Strategies

  • Inspect application logs for clients submitting many distinct session identifiers in rapid succession against the same endpoint.
  • Correlate Date header probes followed by bursts of cookie-bearing requests as a pre-attack reconnaissance pattern.
  • Alert on session reuse where the same session ID is observed from multiple source IP addresses within a short interval.

Monitoring Recommendations

  • Forward Maypole access logs to a central analytics pipeline and retain cookie metadata long enough to support replay analysis.
  • Track per-user session counts and flag accounts whose active session count exceeds an established baseline.
  • Monitor for unusual user-agent or IP transitions tied to a single session identifier.

How to Mitigate CVE-2025-15578

Immediate Actions Required

  • Inventory all internet-facing Perl applications and identify any deployment using Maypole between 2.10 and 2.13.
  • Invalidate all existing session cookies and force users to reauthenticate after deploying a fix.
  • Place affected applications behind a web application firewall (WAF) and rate-limit requests that submit invalid session cookies.

Patch Information

No vendor-published fixed version is referenced in the NVD entry at this time. Operators should monitor the Maypole distribution on MetaCPAN for an updated release and apply it as soon as it is available.

Workarounds

  • Replace the default Maypole::Session ID generator with a subclass that draws bytes from a cryptographically secure source such as Crypt::URandom or /dev/urandom.
  • Remove or normalize the Date response header at a reverse proxy to limit clock disclosure available to remote attackers.
  • Shorten session lifetimes and require reauthentication for sensitive operations to reduce the value of a hijacked session.
bash
# Configuration example: strip Date header at an nginx reverse proxy
# placed in front of the Maypole application
proxy_hide_header Date;
add_header Cache-Control "no-store" always;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne