CVE-2025-9604
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-08-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coze | coze_studio | 0.2.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-320 | Key Management Errors |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9604 is a cryptographic vulnerability in coze-studio up to version 0.2.4, caused by the use of hard-coded cryptographic keys and insecure AES encryption implementation. Specifically, three secret keys (AuthSecretKey, StateSecretKey, OAuthTokenSecretKey) are hardcoded with low entropy, making them weak and accessible to anyone with code access. Additionally, the AES encryption uses CBC mode with a fixed Initialization Vector (IV) derived from the key itself, which is reused for every encryption operation. This leads to predictable ciphertexts and compromises the confidentiality of encrypted data. The vulnerability can be exploited remotely without authentication, though the attack complexity is high and exploitability is difficult. The vendor plans to fix this by enabling user-defined key management and using random salts to improve encryption security. [2, 3, 1]
How can this vulnerability impact me? :
This vulnerability can compromise the confidentiality of your encrypted data because the hard-coded keys and fixed IV allow attackers to analyze ciphertext patterns and potentially recover plaintext information. Since the keys are weak and publicly accessible in the source code, attackers can perform brute-force or guessing attacks. The insecure encryption implementation undermines the protection of sensitive information, increasing the risk of data exposure. Although exploitation is difficult and requires high complexity, a successful attack could lead to unauthorized access to confidential data. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves inspecting the source code or binaries of coze-studio versions up to 0.2.4 for the presence of hardcoded cryptographic keys (AuthSecretKey, StateSecretKey, OAuthTokenSecretKey) and insecure AES encryption implementation using a fixed IV derived from the key. Commands to detect this could include searching the source code for the hardcoded keys, for example using grep: `grep -E 'AuthSecretKey|StateSecretKey|OAuthTokenSecretKey' backend/domain/plugin/encrypt/aes.go`. Additionally, monitoring network traffic for repeated ciphertext patterns could indicate the use of a fixed IV in CBC mode encryption. However, no specific network detection commands or signatures are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the vendor-provided patch that replaces the fixed IV with a randomly generated IV for each AES encryption operation and enables user-defined key management instead of using hardcoded keys. This patch is available on GitHub and was merged on August 4, 2025. Until the patch can be applied, avoid using the vulnerable versions of coze-studio for sensitive encryption tasks. The vendor also plans to optimize encryption by incorporating random salts and user-configurable keys to enhance security. [1, 3]