MartialBE one-hub CVE-2025-14651
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSION_SECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The code maintainer recommends (translated from Chinese): "The default docker-compose example file is not recommended for production use. If you intend to use it in production, please carefully check and modify every configuration and environment variable yourself!"
AnalysisAI
MartialBE one-hub up to version 0.14.27 uses a hard-coded cryptographic key in the SESSION_SECRET environment variable of its default docker-compose.yml configuration, allowing remote attackers to potentially decrypt or forge session tokens with high attack complexity. The vulnerability requires non-standard deployment configurations and affects confidentiality rather than integrity or availability. Exploit code has been disclosed publicly, though active exploitation remains unconfirmed by CISA, and the vendor explicitly recommends against using the default Docker Compose example in production environments.
Technical ContextAI
The vulnerability stems from CWE-320 (Use of Insufficiently Random Values) in cryptographic key management. MartialBE one-hub is a Docker-based application that relies on a SESSION_SECRET environment variable for session token generation and validation in its default docker-compose.yml configuration file. The default example includes a hard-coded, static session secret (visible at the referenced GitHub line) that is typically insufficient entropy for production cryptographic use. When this default configuration is deployed without modification, all instances share identical session secrets, enabling attackers with knowledge of the hard-coded value to forge valid session tokens or decrypt session data. The attack surface is specific to deployments using the provided Docker Compose example without customization, as the code maintainer emphasizes this template is not intended for production use.
Affected ProductsAI
MartialBE one-hub versions up to and including 0.14.27 are affected when deployed using the default docker-compose.yml configuration file without modification to the SESSION_SECRET environment variable. The vulnerable configuration is documented in the official GitHub repository at github.com/MartialBE/one-hub. No CPE string was provided in available sources. The issue was first reported in GitHub issue #872 and acknowledged by the code maintainer.
RemediationAI
The primary mitigation is to immediately update MartialBE one-hub to the latest available version and generate a unique, cryptographically strong SESSION_SECRET value (minimum 32 random bytes) via environment variable configuration rather than relying on defaults. Organizations currently running versions 0.14.27 or earlier must replace the default SESSION_SECRET with a custom value using a secure random generator (e.g., openssl rand -hex 32 on Linux/macOS or equivalent tools). The vendor's GitHub repository includes updated examples and documentation recommending against production use of the default docker-compose.yml template. For existing deployments, rotate all active session tokens after updating the SESSION_SECRET to invalidate any tokens generated with the old hard-coded value. If session persistence across deployments is required, document and secure the custom SESSION_SECRET in a secrets management system (e.g., Docker Secrets, Kubernetes Secrets, or HashiCorp Vault) rather than committing it to version control. Review deployment documentation and process controls to prevent future use of example configurations in production. References: github.com/MartialBE/one-hub/issues/872 and the official repository documentation.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-320 – Key Management Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today