CVE-2025-30064

Vulnerability Description

An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService function to generate a session for any user.

Related Weaknesses (CWE)

CWE-912 CWE-347

References

https://cert.pl/en/posts/2025/08/CVE-2025-2313/

FAQ

What is CVE-2025-30064?

CVE-2025-30064 is a documented vulnerability. An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an...

How severe is CVE-2025-30064?

CVSS scoring is not yet available for CVE-2025-30064. Check NVD for updates.

Is there a patch for CVE-2025-30064?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.