PandaXGO PandaX CVE-2025-15108
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit is now public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
PandaX JWT Secret Handler uses hard-coded cryptographic keys in the config.yml file, allowing remote attackers to bypass authentication and decrypt sensitive JWT tokens with high attack complexity. The vulnerability affects the product up to commit fb8ff40f7ce5dfebdf66306c6d85625061faf7e5, and although public exploit code exists, the extremely low EPSS score (0.05%) and high attack complexity suggest limited real-world exploitation despite network accessibility.
Technical ContextAI
PandaX is a Go-based framework utilizing a JWT (JSON Web Token) authentication mechanism. The vulnerability stems from CWE-320 (Key Management Errors), specifically the use of hard-coded cryptographic keys in the config.yml configuration file rather than properly managed, environment-specific secrets. The JWT Secret Handler component fails to implement proper key management practices, allowing attackers who can access or manipulate the config.yml file's 'key' argument to obtain or predict the shared secret used to sign and verify JWT tokens. This undermines the cryptographic integrity of the authentication system.
Affected ProductsAI
PandaXGO PandaX is affected in all versions up to and including commit fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. The product uses a rolling release system without traditional version numbers; therefore, specific version ranges cannot be definitively stated. The affected component is the JWT Secret Handler within the config.yml configuration file.
RemediationAI
No vendor-released patch version has been published at the time of analysis. The PandaX project was notified early via issue report (https://github.com/PandaXGO/PandaX/issues/9) but has not yet responded. Immediate compensating controls include: (1) Store JWT secrets in environment variables or secure secret management systems (e.g., HashiCorp Vault, AWS Secrets Manager) instead of hardcoding them in config.yml files, ensuring secrets are never committed to version control; (2) Restrict file system and configuration access via operating system controls, allowing only authorized service accounts to read config.yml; (3) Rotate all JWT signing keys immediately and audit logs for unauthorized token generation; (4) Implement token revocation mechanisms and short-lived token expiration (minutes, not hours) to limit damage if keys are compromised; (5) Monitor for configuration file access and modifications via file integrity monitoring tools. Teams should monitor the GitHub repository (https://github.com/PandaXGO/PandaX) and the CVE database entry for patched releases.
Same weakness CWE-320 – Key Management Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today