CVE-2025-68926
Hardcoded Token Authentication Bypass in RustFS Enables Data Destruction
Publication date: 2025-12-30
Last updated on: 2025-12-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in RustFS versions prior to 1.0.0-alpha.77, where the system uses a hardcoded static gRPC authentication token "rustfs rpc" that is publicly exposed in the source code. This token is hardcoded on both client and server sides, cannot be configured or rotated, and is valid across all RustFS deployments. An attacker with network access to the gRPC port can use this token to authenticate and perform privileged operations.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can authenticate to the RustFS system remotely and execute privileged operations such as data destruction, policy manipulation, and changes to cluster configuration. This can lead to severe data loss, unauthorized access, and disruption of services.
What immediate steps should I take to mitigate this vulnerability?
Upgrade RustFS to version 1.0.0-alpha.77 or later, which contains a fix for the hardcoded static token vulnerability. Until the upgrade is applied, restrict network access to the gRPC port to trusted hosts only to prevent unauthorized authentication using the publicly known token.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability violates PCI-DSS requirements for strong authentication and multi-factor authentication, and OWASP Top 10 A07:2021 (Identification and Authentication Failures). It also involves multiple CWE entries including CWE-798 (Hard-coded Credentials) and CWE-287 (Improper Authentication). There are potential GDPR and CCPA data breach notification requirements due to the risk of data exposure, which could lead to significant legal, financial, and reputational consequences. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to authenticate to the RustFS gRPC service using the known hardcoded token "rustfs rpc" on the default gRPC port 9000/TCP. A simple command using grpcurl can be used to test this: grpcurl -plaintext -H 'authorization: rustfs rpc' <target-ip>:9000 list. If the command succeeds and returns the list of gRPC services or methods, the system is vulnerable. This confirms that the hardcoded token is accepted and authentication is bypassed. [1]