Skip to main content

Python EUVDEUVD-2025-18201

| CVE-2025-43866 HIGH
Use of Insufficiently Random Values (CWE-330)
2025-06-12 security-advisories@github.com GHSA-m3mq-f375-5vgh
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:20 euvd
EUVD-2025-18201
Analysis Generated
Mar 14, 2026 - 21:20 vuln.today
CVE Published
Jun 12, 2025 - 18:15 nvd
HIGH 7.5

DescriptionGitHub Advisory

vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is fixed in 4.11.0.

AnalysisAI

vantage6 servers auto-generate JWT secret keys using UUID1, a predictable algorithm that lacks cryptographic strength, allowing attackers to forge authentication tokens and gain unauthorized access to the privacy-preserving analysis platform. This affects all vantage6 versions prior to 4.11.0 where users have not manually defined a strong JWT secret. The vulnerability has a CVSS score of 7.5 with high confidentiality impact, as attackers can impersonate legitimate users without needing privileges or user interaction.

Technical ContextAI

The vulnerability stems from CWE-330 (Use of Insufficiently Random Values), a fundamental cryptographic weakness. vantage6 uses JWT (JSON Web Tokens) for authentication, but the default key generation relies on UUID1 (time-based, MAC-address-based UUIDs defined in RFC 4122) rather than cryptographically secure random generation. UUID1 is deterministic and predictable given knowledge of the timestamp and MAC address, making it unsuitable for cryptographic purposes like JWT signing. An attacker who can predict or brute-force the UUID1 value can generate valid JWTs, bypassing authentication entirely. The affected component is the vantage6 server's JWT initialization module, which generates keys at startup unless explicitly overridden via user configuration.

RemediationAI

Immediate actions: (1) Upgrade vantage6 to version 4.11.0 or later, which implements cryptographically secure random JWT key generation. (2) For systems unable to immediately upgrade, manually set the JWT_SECRET configuration parameter to a strong, cryptographically random value (minimum 256 bits of entropy, generated using tools like openssl rand -base64 32). (3) Rotate all existing JWT tokens and revoke any long-lived tokens issued prior to remediation. (4) Review server logs for suspicious authentication patterns or unauthorized token usage. (5) Consider implementing token expiration policies and rate limiting on token validation endpoints. Organizations should prioritize patching vantage6 instances handling sensitive research or healthcare data within 48-72 hours.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-27966 CRITICAL POC
9.8 Feb 26

Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary

CVE-2025-0868 CRITICAL POC
9.3 Feb 20

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Rated critical severity (C

CVE-2026-41264 CRITICAL POC
9.2 Apr 21

## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi

CVE-2025-1550 CRITICAL POC
9.8 Mar 11

Keras Model.load_model can execute arbitrary code even with safe_mode=True by manipulating the config.json inside a .ker

Share

EUVD-2025-18201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy