Skip to main content

ATLAS-EPIC CVE-2025-60639

MEDIUM
Use of Hard-coded Credentials (CWE-798)
2025-10-16 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Credentials in public source code require no privileges to obtain; network replay against exposed instance is trivial, but impact is bounded to partial access rather than full system compromise.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 04, 2026 - 20:30 vuln.today

DescriptionCVE.org

Hardcoded credentials in gsigel14 ATLAS-EPIC commit f29312c (2025-05-26).

AnalysisAI

Hardcoded credentials embedded in ATLAS-EPIC (GitHub project gsiegel14/ATLAS-EPIC, commit f29312c, 2025-05-26) expose authentication secrets directly in publicly accessible source code, enabling authentication bypass. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms that any network-reachable instance can be accessed by an unauthenticated attacker who reads the repository and extracts the embedded credentials. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

CWE-798 (Use of Hard-coded Credentials) describes a class of vulnerability where authentication secrets - passwords, API keys, tokens, or cryptographic keys - are statically embedded in source code rather than supplied at runtime via environment variables or secrets management. Because the ATLAS-EPIC repository is publicly hosted on GitHub, the credentials are effectively public knowledge for anyone who reads the commit history at f29312cf782ec5a6537fceaeb6a9ced7d7d04e1f. The CVSS network attack vector implies the application exposes a network-accessible interface (likely HTTP/HTTPS or an API endpoint) against which these credentials can be directly replayed. No CPE string was provided in the intelligence data, so the exact runtime stack (language, framework, backend service) cannot be confirmed from available data alone.

Affected ProductsAI

ATLAS-EPIC as maintained by gsiegel14 is affected at commit f29312c (2025-05-26) and all prior commits containing the same hardcoded credentials. No explicit version numbering system or release tags are referenced in the available data; the affected codebase is identified solely by the GitHub commit SHA f29312cf782ec5a6537fceaeb6a9ced7d7d04e1f at https://github.com/gsiegel14/ATLAS-EPIC. No CPE string was included in the intelligence data. Downstream forks or deployments that have not remediated the credentials are also affected.

RemediationAI

Immediately rotate all credentials hardcoded in commit f29312c and any preceding commits - rotating credentials in the application without removing them from git history is insufficient, as the secrets remain readable via git log and GitHub's commit browser. The repository history should be purged using git-filter-repo or BFG Repo Cleaner to eliminate the secrets from all reachable commits, then the sanitized history force-pushed and all prior clone caches invalidated. All services or accounts authenticated by the exposed credentials must have their passwords or API keys reset immediately. Until remediation is complete, consider taking the network-exposed application offline or blocking public network access via firewall rules as a compensating control, accepting the trade-off of service unavailability. No vendor-released patch or tagged fix version has been independently confirmed from the available references; the fix status should be verified at https://github.com/gsiegel14/ATLAS-EPIC and https://xancatos.org/cve202560639.

Share

CVE-2025-60639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy