Actiontech SQLE CVE-2025-15107
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release.
AnalysisAI
Actiontech SQLE up to version 4.2511.0 uses a hard-coded cryptographic key in its JWT Secret Handler (sqle/utils/jwt.go), allowing remote attackers with no authentication or user interaction to gain limited information disclosure. The vulnerability results from improper handling of the JWTSecretKey argument, though exploitation is rated as difficult due to high attack complexity. Publicly available exploit code exists, and the vendor has committed to addressing this in an upcoming release.
Technical ContextAI
The vulnerability resides in the JWT (JSON Web Token) secret handling mechanism within Actiontech SQLE's utility layer. JWT authentication relies on cryptographic keys to sign and validate tokens; hard-coded keys eliminate the confidentiality and integrity properties of the signing scheme, violating CWE-320 (Use of Insufficiently Random Values in Security Context). The affected component (sqle/utils/jwt.go) appears to use a fixed, predictable JWTSecretKey rather than deriving or managing secrets securely, enabling attackers to forge or decrypt JWT tokens if they can determine or access the hard-coded value. This is a cryptographic key management failure at the application level.
RemediationAI
Upgrade to the next released version of Actiontech SQLE once available; track GitHub releases at https://github.com/actiontech/sqle for patch availability. Until an official patch is released, implement compensating controls: (1) Restrict network access to SQLE services using a firewall or WAF, allowing only trusted internal networks to connect (trade-off: reduces remote accessibility if legitimate remote users depend on it). (2) Disable or isolate JWT-based authentication in favor of alternative authentication mechanisms (e.g., mutual TLS, API keys with external secret management) if operationally feasible (trade-off: may require application reconfiguration). (3) Deploy network segmentation to limit lateral movement if JWT tokens are compromised (trade-off: increases operational complexity). (4) Monitor JWT token usage and audit logs for anomalous token issuance or validation patterns. Do not rely on key rotation alone, as the key is hard-coded in the codebase; code-level fixes are required.
Same weakness CWE-320 – Key Management Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today