GHSA-J752-CJCJ-W847

Vulnerability from github – Published: 2025-04-15 14:17 – Updated: 2025-04-23 15:09
VLAI?
Summary
Dpanel's hard-coded JWT secret leads to remote code execution
Details

Summary

The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine.

Details

The Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability.

PoC

The core code snippet is shown below:

import jwt

def generate_jwt(appname):

    payload = {
        "SECRET_KEY":"SECRET_VALUE",
    }
    print("appname:", appname)
    print("payload:", str(payload))
    token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm="HS256")
    return token

appname = "SECRET_KEY"
token = generate_jwt(appname)
print("url token:", token)

Impact

Attackers who successfully exploit this vulnerability can write arbitrary files to the host machine's file system, and all users with Dpanel versions less than 1.6.1 are affected.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/donknap/dpanel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-453",
      "CWE-547"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-15T14:17:25Z",
    "nvd_published_at": "2025-04-15T20:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine.\n\n### Details\nThe Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability.\n\n\n### PoC\nThe core code snippet is shown below:\n```python\nimport jwt\n\ndef generate_jwt(appname):\n\n    payload = {\n        \"SECRET_KEY\"\uff1a\"SECRET_VALUE\",\n    }\n    print(\"appname:\", appname)\n    print(\"payload:\", str(payload))\n    token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm=\"HS256\")\n    return token\n\nappname = \"SECRET_KEY\"\ntoken = generate_jwt(appname)\nprint(\"url token:\", token)\n```\n\n### Impact\nAttackers who successfully exploit this vulnerability can write arbitrary files to the host machine\u0027s file system, and all users with Dpanel versions less than 1.6.1 are affected.",
  "id": "GHSA-j752-cjcj-w847",
  "modified": "2025-04-23T15:09:48Z",
  "published": "2025-04-15T14:17:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/donknap/dpanel/security/advisories/GHSA-j752-cjcj-w847"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30206"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/donknap/dpanel"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3612"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dpanel\u0027s hard-coded JWT secret leads to remote code execution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.