getmaxun maxun CVE-2025-15105
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Use of hard-coded cryptographic keys in getmaxun maxun up to version 0.0.28 allows remote unauthenticated attackers to manipulate the api_key parameter in the authentication route, potentially disclosing sensitive information with high attack complexity. Publicly available exploit code exists, though EPSS scoring (0.07%) and vendor non-responsiveness suggest limited real-world exploitation pressure despite confirmed POC availability.
Technical ContextAI
The vulnerability resides in the authentication handler at /getmaxun/maxun/blob/develop/server/src/routes/auth.ts, where cryptographic operations depend on hard-coded keys rather than dynamically generated or properly managed secrets (CWE-320: Use of Insufficiently Random Values). The attack vector involves manipulating the api_key argument passed to this endpoint. The use of static cryptographic material in a network-accessible authentication service creates a situation where an attacker can potentially derive or bypass cryptographic protections by reverse-engineering the hard-coded keys from the application or analyzing authentication exchanges.
RemediationAI
Upgrade getmaxun maxun to a version after 0.0.28 if a patched release is available from the vendor. Given the vendor's non-responsiveness to early disclosure, check the project's GitHub repository (github.com/getmaxun/maxun) for any subsequent commits or releases that address hard-coded cryptographic keys in the auth.ts file. If no patched version is available, implement compensating controls: (1) Disable or restrict network access to the /getmaxun/maxun authentication endpoints using a reverse proxy or firewall ACL, limiting exposure to trusted internal networks only; (2) Replace hard-coded keys by implementing dynamic key derivation or integration with a secrets-management system (e.g., environment variables, AWS Secrets Manager, HashiCorp Vault); (3) Monitor authentication logs for anomalous api_key manipulation attempts and trigger alerts on repeated failed authentication with modified credentials. These controls trade deployment complexity and operational overhead for reduced information-disclosure risk.
Cross-tenant access in Maxun (the open-source no-code web data extraction/scraping platform) before 0.0.42 allows any au
Improper authorization in getmaxun maxun up to version 0.0.28 allows authenticated remote attackers to access unauthoriz
Same weakness CWE-320 – Key Management Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today