CVE-2025-51606
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-21

Last updated on: 2025-08-22

Assigner: MITRE

Description
hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-21
Last Modified
2025-08-22
Generated
2026-05-27
AI Q&A
2025-08-21
EPSS Evaluated
2026-05-25
NVD
CVE-2025-51606
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
hippo4j hippo4j 1.0.0
hippo4j hippo4j 1.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in hippo4j versions 1.0.0 to 1.5.0, where a hard-coded secret key is used in the creation of JSON Web Tokens (JWTs). Because the secret key is embedded in the source code or compiled binary, attackers who gain access to these can forge valid JWT access tokens. This allows them to impersonate any user, including privileged users like 'admin'.


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized access by attackers who can create valid JWTs and impersonate any user, including administrators. This compromises authentication and authorization mechanisms, potentially allowing attackers to gain full control over the affected system or application.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart