getmaxun maxun CVE-2025-15106
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper authorization in getmaxun maxun up to version 0.0.28 allows authenticated remote attackers to access unauthorized resources via manipulation of the authentication endpoint router in server/src/routes/auth.ts, with publicly available exploit code and an EPSS score of 0.15% indicating low real-world exploitation probability despite confirmed public disclosure.
Technical ContextAI
The vulnerability resides in the Authentication Endpoint component, specifically in the router.get function of server/src/routes/auth.ts. This is a classic authorization flaw (CWE-266: Improper Privilege Management) where the application fails to properly verify user permissions before granting access to protected resources. The affected product is getmaxun maxun, a Node.js-based application framework, and the vulnerability affects all versions up to and including 0.0.28. The attack vector is network-accessible (AV:N) with low complexity (AC:L), but importantly requires authenticated access (PR:L), meaning the attacker must already have a valid user account or session token to exploit the authorization bypass.
RemediationAI
Upgrade to a patched version newer than 0.0.28 once released by the getmaxun project. The vendor did not respond to early disclosure, so patch availability should be verified at the official getmaxun repository (likely GitHub). In the interim, implement compensating controls: (1) Conduct an authorization audit of all endpoints in server/src/routes/auth.ts to identify which resources are accessible by low-privilege users and whether that access is intentional - this may reveal scope of the bypass; (2) Apply network segmentation to restrict unauthenticated users from reaching the application if feasible, though this has limited effectiveness since the attacker must authenticate; (3) Monitor authentication logs and access patterns for anomalous privilege escalation or unauthorized resource access attempts; (4) Implement API gateway rules to enforce role-based access control (RBAC) at the network layer as defense-in-depth, but note this does not fix the underlying application flaw. Reference: Exploit details and vulnerability details available at https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b and https://vuldb.com/?id.338477.
Share
External POC / Exploit Code
Leaving vuln.today