Vulnerability DatabaseCVE-2025-9604
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-9604
August 29, 2025
A vulnerability was identified in coze-studio up to 0.2.4. The impacted element is an unknown function of the file backend/domain/plugin/encrypt/aes.go. The manipulation of the argument AuthSecretKey/StateSecretKey/OAuthTokenSecretKey leads to use of hard-coded cryptographic key . It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. To fix this issue, it is recommended to deploy a patch. The vendor replied to the GitHub issue (translated from simplified Chinese): "For scenarios requiring encryption, we will implement user-defined key management through configuration and optimize the use of encryption tools, such as random salt."
Affected Packages
github.com/coze-dev/coze-studio (GO):
Affected version(s) >=v0.1.0 <v0.2.2
Fix Suggestion:
Update to version v0.2.2
Related Resources (6)
https://vuldb.com/?ctiid.321780
https://github.com/coze-dev/coze-studio/issues/505
https://vuldb.com/?submit.636417
https://github.com/coze-dev/coze-studio/pull/533
https://github.com/coze-dev/coze-studio/issues/505#issuecomment-3148568862
https://vuldb.com/?id.321780
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Use of Hard-coded Cryptographic Key
CWE-321
EPSS
Base Score:
0.03