Hospital Management System
CVE-2025-11609
LOW
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in code-projects Hospital Management System 1.0. Affected is the function session of the component express-session. This manipulation of the argument secret with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used.
AnalysisAI
Hard-coded cryptographic key in express-session component of code-projects Hospital Management System 1.0 allows remote attackers to bypass session security and disclose sensitive information. The vulnerability stems from use of a fixed secret parameter in the session middleware, enabling attackers to forge or predict session tokens. While a public exploit exists, the attack requires high complexity and difficult exploitation, reflected in the low CVSS 2.9 score and minimal EPSS probability (0.19%), suggesting limited real-world risk despite information disclosure impact.
Technical ContextAI
The vulnerability affects the express-session middleware integration in Hospital Management System 1.0, specifically the session component's secret parameter (CWE-320: Use of Hard-coded Cryptographic Key). Express-session is a Node.js middleware that manages HTTP session state using cryptographic signing and encryption. When the secret parameter is hardcoded rather than using a random, environment-specific value, attackers can derive or predict the key material used to sign session cookies, potentially forging valid session tokens or decrypting sensitive session data. The CPE cpe:2.3:a:fabian:hospital_management_system:1.0 indicates this flaw is present in version 1.0 only.
RemediationAI
Upgrade to a patched version if available from code-projects; vendor patch information is not confirmed in available advisories. As an immediate mitigation, manually modify the express-session configuration to use a cryptographically random secret sourced from an environment variable or secure key management service, never hardcoded in source code. For example, replace hardcoded secret values with secret: process.env.SESSION_SECRET and generate a strong random value using Node.js require('crypto').randomBytes(32).toString('hex'). Additionally, enable session cookie security flags: set httpOnly: true, secure: true (HTTPS only), and sameSite: 'Strict' to limit session token exposure. If the application cannot be immediately patched, restrict network access to the application using firewalls or WAF rules to reduce the attack surface. Note that these mitigations do not retroactively invalidate existing sessions signed with the hardcoded key; consider implementing session rotation or invalidation after deploying the fix. References: https://github.com/lakshayyverma/CVE-Discovery/blob/main/Hospital%20Management%20System.md and https://vuldb.com/?id.327932.
Share
External POC / Exploit Code
Leaving vuln.today