Home > Vulnerability Database > CVE-2025-51606

Mend.io Vulnerability Database

CVE-2025-51606

Date: August 20, 2025

hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.

Severity Score

8.8

Related Resources (5)

Url: https://github.com/opengoofy/hippo4j/blob/7d78be3cab526501ad876495862f4cec108da2af/threadpool/server/auth/src/main/java/cn/hippo4j/auth/security/JwtTokenManager.java#L51

Url: https://github.com/opengoofy/hippo4j

Url: https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250610-01.md

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-51606

Url: https://www.mend.io/vulnerability-database/CVE-2025-51606

Severity Score

8.8

Weakness Type (CWE)

Use of Hard-coded Credentials

CWE-798

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-51606

Date: August 20, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?