CVE-2025-51606
hippo4j Includes Hard Coded Secret Key in JWT Creation
8.8
HIGH
CVSS 3.1
EPSS 0.08%
Description
hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.
How to fix CVE-2025-51606
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2025-51606 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.0.0, <= 1.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (4)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-51606
- PATCHgithub.com/opengoofy/hippo4j
- WEBgithub.com/opengoofy/hippo4j/blob/7d78be3cab526501ad876495862f4cec108da2af/threadpool/server/auth/src/main/java/cn/hippo4j/auth/security/JwtTokenManager.java#L51
- WEBgithub.com/ShenxiuSec/cve-proofs/blob/main/POC-20250610-01.md