CVE-2025-15105
Hard-Coded Cryptographic Key in getmaxun auth.ts Allows Remote Exploit
Publication date: 2025-12-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getmaxun | maxun | 0.0.28 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-320 | Key Management Errors |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw in the getmaxun maxun software up to version 0.0.28, specifically in an unknown function within the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. It involves manipulation of the argument 'api_key' which leads to the use of a hard-coded cryptographic key. This flaw can be exploited remotely, although the attack is considered to have high complexity and is difficult to execute.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing a remote attacker to exploit the use of a hard-coded cryptographic key through manipulation of the 'api_key' argument. This could potentially compromise the confidentiality of data protected by this key, as indicated by the CVSS scores showing a low to moderate impact on confidentiality. However, the attack complexity is high and exploitability is difficult.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to bypass authentication and impersonate any user by exploiting a hard-coded, publicly known JWT secret key. This unauthorized access can lead to exposure or compromise of personal and sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA. Therefore, the vulnerability negatively impacts compliance by increasing the risk of unauthorized data access and potential data breaches. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the system uses the default hardcoded JWT secret key `a9Z$kLq7^f03GzNw!bP9dH4xV6sT2yXl3O8vR@uYq3` in its environment configuration or codebase, especially in the `.env` file or the authentication module `auth.ts`. You can search for this key in your deployment files using commands like `grep -r 'a9Z$kLq7^f03GzNw!bP9dH4xV6sT2yXl3O8vR@uYq3' /path/to/your/project` or check for JWT tokens signed with this key by intercepting and decoding tokens in your network traffic. Additionally, monitoring API requests for forged JWT tokens that only verify the `userid` field may indicate exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the default hardcoded JWT secret key with a strong, unique secret key that is not publicly known. Avoid using the example environment file's default JWT_SECRET value. Implement additional security measures such as two-factor authentication and securely storing generated tokens (e.g., in a cache or database) to prevent token forgery and man-in-the-middle attacks. If possible, replace the affected component or upgrade to a version that does not use the hardcoded key. Since no vendor patch or official mitigation exists, these steps are critical to reduce risk. [1, 2, 3]