Skip to main content

Actiontech SQLE CVE-2025-15107

LOW
Key Management Errors (CWE-320)
2025-12-27 cna@vuldb.com
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 03:01 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release.

AnalysisAI

Actiontech SQLE up to version 4.2511.0 uses a hard-coded cryptographic key in its JWT Secret Handler (sqle/utils/jwt.go), allowing remote attackers with no authentication or user interaction to gain limited information disclosure. The vulnerability results from improper handling of the JWTSecretKey argument, though exploitation is rated as difficult due to high attack complexity. Publicly available exploit code exists, and the vendor has committed to addressing this in an upcoming release.

Technical ContextAI

The vulnerability resides in the JWT (JSON Web Token) secret handling mechanism within Actiontech SQLE's utility layer. JWT authentication relies on cryptographic keys to sign and validate tokens; hard-coded keys eliminate the confidentiality and integrity properties of the signing scheme, violating CWE-320 (Use of Insufficiently Random Values in Security Context). The affected component (sqle/utils/jwt.go) appears to use a fixed, predictable JWTSecretKey rather than deriving or managing secrets securely, enabling attackers to forge or decrypt JWT tokens if they can determine or access the hard-coded value. This is a cryptographic key management failure at the application level.

RemediationAI

Upgrade to the next released version of Actiontech SQLE once available; track GitHub releases at https://github.com/actiontech/sqle for patch availability. Until an official patch is released, implement compensating controls: (1) Restrict network access to SQLE services using a firewall or WAF, allowing only trusted internal networks to connect (trade-off: reduces remote accessibility if legitimate remote users depend on it). (2) Disable or isolate JWT-based authentication in favor of alternative authentication mechanisms (e.g., mutual TLS, API keys with external secret management) if operationally feasible (trade-off: may require application reconfiguration). (3) Deploy network segmentation to limit lateral movement if JWT tokens are compromised (trade-off: increases operational complexity). (4) Monitor JWT token usage and audit logs for anomalous token issuance or validation patterns. Do not rely on key rotation alone, as the key is hard-coded in the codebase; code-level fixes are required.

Share

CVE-2025-15107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy