CVE-2025-9604
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-08-29

Assigner: VulDB

Description
A vulnerability was identified in coze-studio up to 0.2.4. The impacted element is an unknown function of the file backend/domain/plugin/encrypt/aes.go. The manipulation of the argument AuthSecretKey/StateSecretKey/OAuthTokenSecretKey leads to use of hard-coded cryptographic key . It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. To fix this issue, it is recommended to deploy a patch. The vendor replied to the GitHub issue (translated from simplified Chinese): "For scenarios requiring encryption, we will implement user-defined key management through configuration and optimize the use of encryption tools, such as random salt."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-08-29
Generated
2026-06-16
AI Q&A
2025-08-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9604
EUVD
EUVD-2025-26161
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coze coze_studio 0.2.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
CWE-320 Key Management Errors
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9604 is a cryptographic vulnerability in coze-studio up to version 0.2.4, caused by the use of hard-coded cryptographic keys and insecure AES encryption implementation. Specifically, three secret keys (AuthSecretKey, StateSecretKey, OAuthTokenSecretKey) are hardcoded with low entropy, making them weak and accessible to anyone with code access. Additionally, the AES encryption uses CBC mode with a fixed Initialization Vector (IV) derived from the key itself, which is reused for every encryption operation. This leads to predictable ciphertexts and compromises the confidentiality of encrypted data. The vulnerability can be exploited remotely without authentication, though the attack complexity is high and exploitability is difficult. The vendor plans to fix this by enabling user-defined key management and using random salts to improve encryption security. [2, 3, 1]

Impact Analysis

This vulnerability can compromise the confidentiality of your encrypted data because the hard-coded keys and fixed IV allow attackers to analyze ciphertext patterns and potentially recover plaintext information. Since the keys are weak and publicly accessible in the source code, attackers can perform brute-force or guessing attacks. The insecure encryption implementation undermines the protection of sensitive information, increasing the risk of data exposure. Although exploitation is difficult and requires high complexity, a successful attack could lead to unauthorized access to confidential data. [2, 3]

Detection Guidance

Detection of this vulnerability involves inspecting the source code or binaries of coze-studio versions up to 0.2.4 for the presence of hardcoded cryptographic keys (AuthSecretKey, StateSecretKey, OAuthTokenSecretKey) and insecure AES encryption implementation using a fixed IV derived from the key. Commands to detect this could include searching the source code for the hardcoded keys, for example using grep: `grep -E 'AuthSecretKey|StateSecretKey|OAuthTokenSecretKey' backend/domain/plugin/encrypt/aes.go`. Additionally, monitoring network traffic for repeated ciphertext patterns could indicate the use of a fixed IV in CBC mode encryption. However, no specific network detection commands or signatures are provided in the resources. [2, 3]

Mitigation Strategies

The immediate mitigation step is to apply the vendor-provided patch that replaces the fixed IV with a randomly generated IV for each AES encryption operation and enables user-defined key management instead of using hardcoded keys. This patch is available on GitHub and was merged on August 4, 2025. Until the patch can be applied, avoid using the vulnerable versions of coze-studio for sensitive encryption tasks. The vendor also plans to optimize encryption by incorporating random salts and user-configurable keys to enhance security. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9604. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart