CVE-2025-15105 (GCVE-0-2025-15105)

Vulnerability from cvelistv5 – Published: 2025-12-27 09:02 – Updated: 2025-12-29 15:55
VLAI?
Title
getmaxun auth.ts hard-coded key
Summary
A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
6.3 (Medium)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
3.7 (Low)
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
CWE
  • CWE-321 - Use of Hard-coded Cryptographic Key
  • CWE-320 - Key Management Error
Assigner
References
Impacted products
Vendor Product Version
getmaxun maxun Affected: 0.0.1
Affected: 0.0.2
Affected: 0.0.3
Affected: 0.0.4
Affected: 0.0.5
Affected: 0.0.6
Affected: 0.0.7
Affected: 0.0.8
Affected: 0.0.9
Affected: 0.0.10
Affected: 0.0.11
Affected: 0.0.12
Affected: 0.0.13
Affected: 0.0.14
Affected: 0.0.15
Affected: 0.0.16
Affected: 0.0.17
Affected: 0.0.18
Affected: 0.0.19
Affected: 0.0.20
Affected: 0.0.21
Affected: 0.0.22
Affected: 0.0.23
Affected: 0.0.24
Affected: 0.0.25
Affected: 0.0.26
Affected: 0.0.27
Affected: 0.0.28
Create a notification for this product.
Credits
28Hus (VulDB User)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15105",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-29T15:54:53.991053Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-29T15:55:05.915Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "maxun",
          "vendor": "getmaxun",
          "versions": [
            {
              "status": "affected",
              "version": "0.0.1"
            },
            {
              "status": "affected",
              "version": "0.0.2"
            },
            {
              "status": "affected",
              "version": "0.0.3"
            },
            {
              "status": "affected",
              "version": "0.0.4"
            },
            {
              "status": "affected",
              "version": "0.0.5"
            },
            {
              "status": "affected",
              "version": "0.0.6"
            },
            {
              "status": "affected",
              "version": "0.0.7"
            },
            {
              "status": "affected",
              "version": "0.0.8"
            },
            {
              "status": "affected",
              "version": "0.0.9"
            },
            {
              "status": "affected",
              "version": "0.0.10"
            },
            {
              "status": "affected",
              "version": "0.0.11"
            },
            {
              "status": "affected",
              "version": "0.0.12"
            },
            {
              "status": "affected",
              "version": "0.0.13"
            },
            {
              "status": "affected",
              "version": "0.0.14"
            },
            {
              "status": "affected",
              "version": "0.0.15"
            },
            {
              "status": "affected",
              "version": "0.0.16"
            },
            {
              "status": "affected",
              "version": "0.0.17"
            },
            {
              "status": "affected",
              "version": "0.0.18"
            },
            {
              "status": "affected",
              "version": "0.0.19"
            },
            {
              "status": "affected",
              "version": "0.0.20"
            },
            {
              "status": "affected",
              "version": "0.0.21"
            },
            {
              "status": "affected",
              "version": "0.0.22"
            },
            {
              "status": "affected",
              "version": "0.0.23"
            },
            {
              "status": "affected",
              "version": "0.0.24"
            },
            {
              "status": "affected",
              "version": "0.0.25"
            },
            {
              "status": "affected",
              "version": "0.0.26"
            },
            {
              "status": "affected",
              "version": "0.0.27"
            },
            {
              "status": "affected",
              "version": "0.0.28"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "28Hus (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key\r . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.6,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-321",
              "description": "Use of Hard-coded Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-320",
              "description": "Key Management Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-27T09:02:06.124Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-338476 | getmaxun auth.ts hard-coded key",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.338476"
        },
        {
          "name": "VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.338476"
        },
        {
          "name": "Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun  \u2264 v0.0.28 Authentication Bypass by Primary Weakness",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.710256"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-26T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-12-26T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-12-26T19:16:05.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "getmaxun auth.ts hard-coded key"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-15105",
    "datePublished": "2025-12-27T09:02:06.124Z",
    "dateReserved": "2025-12-26T18:10:50.723Z",
    "dateUpdated": "2025-12-29T15:55:05.915Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-15105\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2025-12-27T09:15:40.220\",\"lastModified\":\"2025-12-29T15:57:37.560\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key\\r . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:N/A:N\",\"baseScore\":2.6,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":4.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-320\"},{\"lang\":\"en\",\"value\":\"CWE-321\"}]}],\"references\":[{\"url\":\"https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?ctiid.338476\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?id.338476\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?submit.710256\",\"source\":\"cna@vuldb.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-15105\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-29T15:54:53.991053Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-29T15:55:01.065Z\"}}], \"cna\": {\"title\": \"getmaxun auth.ts hard-coded key\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"28Hus (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3.7, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 3.7, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 2.6, \"vectorString\": \"AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR\"}}], \"affected\": [{\"vendor\": \"getmaxun\", \"product\": \"maxun\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.0.1\"}, {\"status\": \"affected\", \"version\": \"0.0.2\"}, {\"status\": \"affected\", \"version\": \"0.0.3\"}, {\"status\": \"affected\", \"version\": \"0.0.4\"}, {\"status\": \"affected\", \"version\": \"0.0.5\"}, {\"status\": \"affected\", \"version\": \"0.0.6\"}, {\"status\": \"affected\", \"version\": \"0.0.7\"}, {\"status\": \"affected\", \"version\": \"0.0.8\"}, {\"status\": \"affected\", \"version\": \"0.0.9\"}, {\"status\": \"affected\", \"version\": \"0.0.10\"}, {\"status\": \"affected\", \"version\": \"0.0.11\"}, {\"status\": \"affected\", \"version\": \"0.0.12\"}, {\"status\": \"affected\", \"version\": \"0.0.13\"}, {\"status\": \"affected\", \"version\": \"0.0.14\"}, {\"status\": \"affected\", \"version\": \"0.0.15\"}, {\"status\": \"affected\", \"version\": \"0.0.16\"}, {\"status\": \"affected\", \"version\": \"0.0.17\"}, {\"status\": \"affected\", \"version\": \"0.0.18\"}, {\"status\": \"affected\", \"version\": \"0.0.19\"}, {\"status\": \"affected\", \"version\": \"0.0.20\"}, {\"status\": \"affected\", \"version\": \"0.0.21\"}, {\"status\": \"affected\", \"version\": \"0.0.22\"}, {\"status\": \"affected\", \"version\": \"0.0.23\"}, {\"status\": \"affected\", \"version\": \"0.0.24\"}, {\"status\": \"affected\", \"version\": \"0.0.25\"}, {\"status\": \"affected\", \"version\": \"0.0.26\"}, {\"status\": \"affected\", \"version\": \"0.0.27\"}, {\"status\": \"affected\", \"version\": \"0.0.28\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-12-26T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-12-26T01:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-12-26T19:16:05.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.338476\", \"name\": \"VDB-338476 | getmaxun auth.ts hard-coded key\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.338476\", \"name\": \"VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.710256\", \"name\": \"Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun  \\u2264 v0.0.28 Authentication Bypass by Primary Weakness\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6\", \"tags\": [\"exploit\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key\\r . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-321\", \"description\": \"Use of Hard-coded Cryptographic Key\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-320\", \"description\": \"Key Management Error\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-12-27T09:02:06.124Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-15105\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-29T15:55:05.915Z\", \"dateReserved\": \"2025-12-26T18:10:50.723Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-12-27T09:02:06.124Z\", \"assignerShortName\": \"VulDB\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.