CVE-2025-15005
Hard-Coded Key Vulnerability in CouchCMS reCAPTCHA Handler
Publication date: 2025-12-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| couchcms | couchcms | 2.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-320 | Key Management Errors |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability compromises the confidentiality of data by using hard-coded cryptographic keys that allow bypassing CAPTCHA protections, which can lead to automated attacks such as spam submissions and brute force attempts. Such security weaknesses can increase the risk of unauthorized access or data exposure, potentially impacting compliance with standards and regulations like GDPR and HIPAA that require adequate protection of personal data and prevention of unauthorized access. However, no specific compliance impact is detailed in the provided resources. [1, 2, 3]
Can you explain this vulnerability to me?
CVE-2025-15005 is a vulnerability in CouchCMS versions up to 2.4 involving the use of hard-coded Google reCAPTCHA test keys in the file couch/config.example.php. These test keys are publicly known and always return a successful verification response, effectively bypassing the CAPTCHA validation. This means that any form protected by reCAPTCHA, such as contact forms, comment forms, or registration forms, can be automated without solving the CAPTCHA challenge, nullifying the CAPTCHA protection mechanism. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows attackers to bypass CAPTCHA protections on forms, enabling automated spam submissions, brute force attacks on login forms, mass comment spam, and automated account registrations. Since the CAPTCHA validation always returns success due to the hard-coded test keys, attackers can exploit this remotely without authentication, increasing the risk of abuse and unauthorized automated interactions with the affected website. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the CouchCMS installation uses the hard-coded Google reCAPTCHA test keys in the file couch/config.example.php. You can search for the presence of the following keys in that file or in your configuration: '6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI' and '6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe'. For example, you can run the command: grep -r "6LeIxAcTAAAA" /path/to/couchcms/ to find occurrences of these test keys. Additionally, vulnerable targets can be identified externally using Google dorking with the query: inurl:couch/config.example.php. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the hard-coded test keys with valid, unique reCAPTCHA site and secret keys obtained from Google for your domain. Avoid using the default or example configuration file (couch/config.example.php) in production. If possible, update or replace the affected CouchCMS component or product to a version that does not use hard-coded keys. Since no official countermeasures or patches are documented, removing or properly configuring the reCAPTCHA keys is essential to prevent bypass. [1, 2]