CVE-2025-53960

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-53960
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/04/1 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*
History

16 Dec 2025, 21:28

Type Values Removed Values Added
First Time Apache streampark
Apache
References () https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy - () https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2025/12/04/1 - () http://www.openwall.com/lists/oss-security/2025/12/04/1 - Mailing List, Third Party Advisory
CPE cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*

16 Dec 2025, 10:15

Type Values Removed Values Added
Summary (en) When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. (en) When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.

12 Dec 2025, 19:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.9

12 Dec 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-12-12 16:15

Updated : 2025-12-16 21:28

NVD link : CVE-2025-53960

Mitre link : CVE-2025-53960

CVE.ORG link : CVE-2025-53960

JSON object : View

Products Affected

apache

  • streampark
CWE
CWE-1240

Use of a Cryptographic Primitive with a Risky Implementation