← Back
2025-12-27 12:32CVE-2025-15107VulDB
PUBLISHED5.2CWE-321CWE-320

actiontech sqle JWT Secret jwt.go hard-coded key

A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release.

Problem type

Affected products

actiontech

sqle

4.2511 - AFFECTED

References

VDB-338478 | actiontech sqle JWT Secret jwt.go hard-coded key

https://vuldb.com/?id.338478

vdb-entrytechnical-description
VDB-338478 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.338478

signaturepermissions-required
Submit #710380 | https://github.com/actiontech https://github.com/actiontech/sqle ≤4.2511.0 Authentication Bypass by Primary Weakness

https://vuldb.com/?submit.710380

third-party-advisory
github.com

https://github.com/actiontech/sqle/issues/3186

exploitissue-tracking
github.com

https://github.com/actiontech/sqle/milestone/53

related

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-15107
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-15107",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2025-12-27T12:32:06.081Z",
    "dateReserved": "2025-12-26T23:07:40.119Z",
    "datePublished": "2025-12-27T12:32:06.081Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2025-12-27T12:32:06.081Z"
      },
      "title": "actiontech sqle JWT Secret jwt.go hard-coded key",
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key\r . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release."
        }
      ],
      "affected": [
        {
          "vendor": "actiontech",
          "product": "sqle",
          "modules": [
            "JWT Secret Handler"
          ],
          "versions": [
            {
              "version": "4.2511",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Use of Hard-coded Cryptographic Key",
              "cweId": "CWE-321",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Key Management Error",
              "cweId": "CWE-320",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.338478",
          "name": "VDB-338478 | actiontech sqle JWT Secret jwt.go hard-coded key",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.338478",
          "name": "VDB-338478 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.710380",
          "name": "Submit #710380 | https://github.com/actiontech https://github.com/actiontech/sqle ≤4.2511.0 Authentication Bypass by Primary Weakness",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/actiontech/sqle/issues/3186",
          "tags": [
            "exploit",
            "issue-tracking"
          ]
        },
        {
          "url": "https://github.com/actiontech/sqle/milestone/53",
          "tags": [
            "related"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "baseScore": 3.7,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "baseScore": 3.7,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "baseScore": 2.6
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-12-26T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2025-12-27T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2025-12-27T00:12:48.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "28Hus (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}