← Back
2025-12-27 9:2CVE-2025-15105VulDB
PUBLISHED5.2CWE-321CWE-320

getmaxun auth.ts hard-coded key

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Problem type

Affected products

getmaxun

maxun

0.0.1 - AFFECTED

0.0.2 - AFFECTED

0.0.3 - AFFECTED

0.0.4 - AFFECTED

0.0.5 - AFFECTED

0.0.6 - AFFECTED

0.0.7 - AFFECTED

0.0.8 - AFFECTED

0.0.9 - AFFECTED

0.0.10 - AFFECTED

0.0.11 - AFFECTED

0.0.12 - AFFECTED

0.0.13 - AFFECTED

0.0.14 - AFFECTED

0.0.15 - AFFECTED

0.0.16 - AFFECTED

0.0.17 - AFFECTED

0.0.18 - AFFECTED

0.0.19 - AFFECTED

0.0.20 - AFFECTED

0.0.21 - AFFECTED

0.0.22 - AFFECTED

0.0.23 - AFFECTED

0.0.24 - AFFECTED

0.0.25 - AFFECTED

0.0.26 - AFFECTED

0.0.27 - AFFECTED

0.0.28 - AFFECTED

References

VDB-338476 | getmaxun auth.ts hard-coded key

https://vuldb.com/?id.338476

vdb-entrytechnical-description
VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.338476

signaturepermissions-required
Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun ≤ v0.0.28 Authentication Bypass by Primary Weakness

https://vuldb.com/?submit.710256

third-party-advisory
gist.github.com

https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6

exploit

GitHub Security Advisories

GHSA-9m78-g4jr-6549

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown...

https://github.com/advisories/GHSA-9m78-g4jr-6549

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-15105

gist.github.com

https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6

vuldb.com

https://vuldb.com/?ctiid.338476

vuldb.com

https://vuldb.com/?id.338476

vuldb.com

https://vuldb.com/?submit.710256

github.com

https://github.com/advisories/GHSA-9m78-g4jr-6549

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-15105
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-15105",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2025-12-27T09:02:06.124Z",
    "dateReserved": "2025-12-26T18:10:50.723Z",
    "datePublished": "2025-12-27T09:02:06.124Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2025-12-27T09:02:06.124Z"
      },
      "title": "getmaxun auth.ts hard-coded key",
      "descriptions": [
        {
          "lang": "en",
          "value": "A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key\r . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "affected": [
        {
          "vendor": "getmaxun",
          "product": "maxun",
          "versions": [
            {
              "version": "0.0.1",
              "status": "affected"
            },
            {
              "version": "0.0.2",
              "status": "affected"
            },
            {
              "version": "0.0.3",
              "status": "affected"
            },
            {
              "version": "0.0.4",
              "status": "affected"
            },
            {
              "version": "0.0.5",
              "status": "affected"
            },
            {
              "version": "0.0.6",
              "status": "affected"
            },
            {
              "version": "0.0.7",
              "status": "affected"
            },
            {
              "version": "0.0.8",
              "status": "affected"
            },
            {
              "version": "0.0.9",
              "status": "affected"
            },
            {
              "version": "0.0.10",
              "status": "affected"
            },
            {
              "version": "0.0.11",
              "status": "affected"
            },
            {
              "version": "0.0.12",
              "status": "affected"
            },
            {
              "version": "0.0.13",
              "status": "affected"
            },
            {
              "version": "0.0.14",
              "status": "affected"
            },
            {
              "version": "0.0.15",
              "status": "affected"
            },
            {
              "version": "0.0.16",
              "status": "affected"
            },
            {
              "version": "0.0.17",
              "status": "affected"
            },
            {
              "version": "0.0.18",
              "status": "affected"
            },
            {
              "version": "0.0.19",
              "status": "affected"
            },
            {
              "version": "0.0.20",
              "status": "affected"
            },
            {
              "version": "0.0.21",
              "status": "affected"
            },
            {
              "version": "0.0.22",
              "status": "affected"
            },
            {
              "version": "0.0.23",
              "status": "affected"
            },
            {
              "version": "0.0.24",
              "status": "affected"
            },
            {
              "version": "0.0.25",
              "status": "affected"
            },
            {
              "version": "0.0.26",
              "status": "affected"
            },
            {
              "version": "0.0.27",
              "status": "affected"
            },
            {
              "version": "0.0.28",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Use of Hard-coded Cryptographic Key",
              "cweId": "CWE-321",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Key Management Error",
              "cweId": "CWE-320",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.338476",
          "name": "VDB-338476 | getmaxun auth.ts hard-coded key",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.338476",
          "name": "VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.710256",
          "name": "Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun  ≤ v0.0.28 Authentication Bypass by Primary Weakness",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6",
          "tags": [
            "exploit"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "baseScore": 3.7,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "baseScore": 3.7,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "baseScore": 2.6
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-12-26T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2025-12-26T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2025-12-26T19:16:05.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "28Hus (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}