CVE-2025-51606 — HIGH (8.8)

Vulnerability Description

hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Related Weaknesses (CWE)

CWE-798

References

https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250610-01.md

FAQ

What is CVE-2025-51606?

CVE-2025-51606 is a vulnerability with a CVSS score of 8.8 (HIGH). hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impe...

How severe is CVE-2025-51606?

CVE-2025-51606 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-51606?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.