CVE-2025-15108
Hard-Coded Cryptographic Key in PandaX JWT Secret Handler
Publication date: 2025-12-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pandaxgo | pandax | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-320 | Key Management Errors |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the PandaXGO PandaX software, specifically in the JWT Secret Handler component's config.yml file. It involves the use of a hard-coded cryptographic key due to manipulation of the argument key. This flaw can be exploited remotely, although the attack is complex and difficult to execute. The vulnerability allows attackers to potentially compromise the confidentiality of data protected by the cryptographic key.
How can this vulnerability impact me? :
The vulnerability can impact you by exposing sensitive information protected by the hard-coded cryptographic key, leading to a partial loss of confidentiality. Since the key is hard-coded and can be manipulated, attackers might decrypt or access protected data remotely, although the attack is difficult to perform. This could undermine the security of your system or data relying on this cryptographic key.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to forge JWT tokens and gain super administrator access, leading to potential unauthorized access to sensitive data. This breach of confidentiality could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. However, no explicit mention of compliance impact is provided in the resources. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the config.yml file of the PandaX system for the presence of a hard-coded JWT secret key, specifically the default key "PandaX". Additionally, monitoring for JWT tokens that contain a "RoleKey" field without proper validation or expiration checks can indicate exploitation attempts. Since the authentication mechanism accepts forged JWT tokens signed with the known secret, analyzing JWT tokens in network traffic for suspicious "RoleKey" values such as "admin" can help detect attacks. There is an example Python script available that demonstrates token forgery, which can be adapted to test your system's vulnerability. Specific commands are not provided in the resources, but checking the config.yml file and capturing JWT tokens for analysis are recommended steps. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
No official mitigations or vendor responses have been provided for this vulnerability. Immediate steps include replacing or removing the affected component that uses the hard-coded JWT secret key. Since the product uses a rolling release model and no patched versions are disclosed, consider disabling or restricting remote access to the vulnerable service to reduce exposure. Additionally, implement proper JWT validation including verifying token authenticity and expiration, and avoid using hard-coded cryptographic keys by configuring secure, unique secrets. Monitoring for suspicious JWT tokens and applying network-level protections may also help mitigate risk until a fix is available. [2]