Xuxueli xxl-job CVE-2025-7789
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to password hash with insufficient computational effort. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
AnalysisAI
Token generation in Xuxueli xxl-job up to version 3.1.1 uses password hashing with insufficient computational effort (weak bcrypt configuration or equivalent), allowing attackers to crack authentication tokens through brute force. The vulnerability affects the makeToken function in IndexController.java and has low practical impact (confidentiality impact only, no integrity or availability damage), but exploitation requires high attack complexity and is not known to be actively exploited at scale despite public disclosure of the vulnerability.
Technical ContextAI
The vulnerability resides in the token generation mechanism of xxl-job's administrative interface. The makeToken function in src/main/java/com/xxl/job/admin/controller/IndexController.java implements password hashing using an algorithm with insufficient computational cost (classified as CWE-326: Inadequate Encryption Strength). This likely means the function uses weak bcrypt cost factors, MD5 or SHA-1 without salting, or similar outdated hashing methods instead of modern password-based key derivation functions (PBKDF2, Argon2, scrypt). The token can be brute-forced offline if an attacker obtains the token hash, though the attack complexity is rated as high, suggesting additional protective mechanisms exist (rate limiting, token expiration, or inherent computational barriers).
RemediationAI
Upgrade xxl-job to a version newer than 3.1.1 (specific patched version not confirmed in provided data - verify latest stable release from https://github.com/xuxueli/xxl-job). The primary fix is to strengthen token generation by replacing the weak hashing algorithm with bcrypt using cost factor 12 or higher, or preferably Argon2id with appropriate memory/time parameters. As a temporary compensating control pending upgrade, implement strict rate limiting on token validation endpoints (e.g., maximum 5 attempts per IP per minute) and enforce short token expiration times (15-30 minutes). If tokens are stored in a database, consider adding additional authentication factors or IP-based validation. Side effects of aggressive rate limiting include potential denial of service against legitimate users; balance security with usability by whitelisting trusted IP ranges if possible.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today