CVE-2025-7789
BaseFortify
Publication date: 2025-07-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xuxueli | xxl-job | to 3.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-326 | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CWE-916 | The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7789 is a vulnerability in the XXL-Job scheduling platform up to version 3.1.1, specifically in the token generation function makeToken. The vulnerability arises because the administrator login token stored in the cookie 'XXL_JOB_LOGIN_IDENTITY' is generated by simply converting the administrator's user information JSON into a hexadecimal string without encryption or signing. This token contains sensitive data such as user ID, username, MD5-hashed password, role ID, and permissions. Since the token is only hex-encoded, an attacker who obtains the cookie can easily decode it to reveal these sensitive credentials. The password hash uses the weak MD5 algorithm, which is considered broken and risky. This weak token generation and insufficient computational effort in password hashing make it possible for attackers to compromise administrator credentials and potentially take over the system. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and full account takeover of the administrator account in the XXL-Job platform. If an attacker obtains the 'XXL_JOB_LOGIN_IDENTITY' cookie, they can decode it to retrieve sensitive administrator credentials, including the MD5 hashed password and permissions. This allows the attacker to impersonate the administrator, gaining unauthorized control over the system. The attack can be launched remotely and without authentication, although it is considered difficult to execute. The compromise of administrator credentials can lead to significant security breaches and loss of confidentiality. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the presence and inspection of the cookie named 'XXL_JOB_LOGIN_IDENTITY' in HTTP requests. Since the cookie contains a hex-encoded JSON string with administrator credentials, you can capture and decode this cookie to check if sensitive information is exposed. Commands to detect this include using network traffic capture tools like tcpdump or Wireshark to filter HTTP traffic for this cookie, and then decoding the hex string. For example, using tcpdump: `tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep XXL_JOB_LOGIN_IDENTITY`. To decode the hex string from the cookie, you can use a command like `echo '<hex_string>' | xxd -r -p` to convert it back to JSON and inspect the contents. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing or upgrading the affected XXL-Job component to a version that does not use weak token generation or switching to an alternative product, as no known mitigations or patches are currently available. Additionally, restrict access to the application to trusted networks, monitor and limit exposure of the 'XXL_JOB_LOGIN_IDENTITY' cookie, and implement network-level protections to prevent interception of this cookie. Consider invalidating existing tokens and enforcing strong authentication mechanisms. Since the vulnerability involves weak password hashing and insecure token generation, avoid using the affected versions and apply strict access controls until a secure fix is available. [1]