CVE-2025-65730
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pommee | goaway | to 0.62.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authentication bypass in GoAway versions up to 0.62.18. It occurs because the software uses a hardcoded secret to sign JWT tokens for authentication, which can be exploited to bypass authentication mechanisms. The issue was fixed in version 0.62.19.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass authentication, potentially gaining unauthorized access to the system or application protected by GoAway. This could lead to unauthorized actions or data exposure.
What immediate steps should I take to mitigate this vulnerability?
Upgrade GoAway to version 0.62.19 or later, as this version fixes the authentication bypass vulnerability caused by hardcoded credentials.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves an authentication bypass due to hardcoded JWT signing credentials, which can lead to unauthorized access and compromise of sensitive data. Such a security flaw can negatively impact compliance with standards like GDPR and HIPAA, which require strong access controls and protection of personal and health information. By allowing authentication bypass, this vulnerability increases the risk of data breaches and unauthorized data exposure, thereby potentially violating these regulations' requirements for data security and privacy. [3]