To build captcha session id, we use the MD5 of the captcha code:
my $md5 = md5_hex($code);
But an attacker can brute force the MD5 to find the captcha code:
The recommandation is to have a captcha session id that has no link with the captcha code.
Seems the issue is for 1.9 and 2.0 versions.