Skip to main content

getmaxun maxun CVE-2025-15105

LOW
Key Management Errors (CWE-320)
2025-12-27 cna@vuldb.com
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 03:01 vuln.today

DescriptionCVE.org

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Use of hard-coded cryptographic keys in getmaxun maxun up to version 0.0.28 allows remote unauthenticated attackers to manipulate the api_key parameter in the authentication route, potentially disclosing sensitive information with high attack complexity. Publicly available exploit code exists, though EPSS scoring (0.07%) and vendor non-responsiveness suggest limited real-world exploitation pressure despite confirmed POC availability.

Technical ContextAI

The vulnerability resides in the authentication handler at /getmaxun/maxun/blob/develop/server/src/routes/auth.ts, where cryptographic operations depend on hard-coded keys rather than dynamically generated or properly managed secrets (CWE-320: Use of Insufficiently Random Values). The attack vector involves manipulating the api_key argument passed to this endpoint. The use of static cryptographic material in a network-accessible authentication service creates a situation where an attacker can potentially derive or bypass cryptographic protections by reverse-engineering the hard-coded keys from the application or analyzing authentication exchanges.

RemediationAI

Upgrade getmaxun maxun to a version after 0.0.28 if a patched release is available from the vendor. Given the vendor's non-responsiveness to early disclosure, check the project's GitHub repository (github.com/getmaxun/maxun) for any subsequent commits or releases that address hard-coded cryptographic keys in the auth.ts file. If no patched version is available, implement compensating controls: (1) Disable or restrict network access to the /getmaxun/maxun authentication endpoints using a reverse proxy or firewall ACL, limiting exposure to trusted internal networks only; (2) Replace hard-coded keys by implementing dynamic key derivation or integration with a secrets-management system (e.g., environment variables, AWS Secrets Manager, HashiCorp Vault); (3) Monitor authentication logs for anomalous api_key manipulation attempts and trigger alerts on repeated failed authentication with modified credentials. These controls trade deployment complexity and operational overhead for reduced information-disclosure risk.

Share

CVE-2025-15105 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy