Home > Vulnerability Database > CVE-2025-66910

Mend.io Vulnerability Database

CVE-2025-66910

Good to know:

Date: December 19, 2025

Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypassing bcrypt protection.

Severity Score

6.0

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66910

Url: https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/bo/AdminInfo.java#L34

Url: https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66910_report.md

Url: https://github.com/turms-im/turms

Url: https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/service/BaseAdminService.java#L237

Url: https://www.mend.io/vulnerability-database/CVE-2025-66910

Severity Score

6.0

Weakness Type (CWE)

Insertion of Sensitive Information into Log File

CWE-532

Plaintext Storage of a Password

CWE-256

CVSS v3.1

Base Score:	6.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66910

Good to know:

Date: December 19, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?