CVE-2025-62710
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-10-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sakailms | sakai | to 23.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-337 | A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Sakai Collaboration and Learning Environment using a non-cryptographic pseudo-random number generator (java.util.Random) to initialize an AES256 encryption key (serverSecretKey). Because java.util.Random is predictable from limited seed information, an attacker who obtains ciphertexts and can approximate the seed can reconstruct the encryption key and decrypt protected data.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to decrypt sensitive data that was protected by the affected encryption service, potentially exposing confidential information stored or exported by Sakai.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Sakai to version 23.5, 25.0, or later where the issue is patched (Sakai versions 23.5 and 25.0 include the fix for this vulnerability).