oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-53960: Apache StreamPark: Use the user’s password as the secret key Vulnerability

From: Huajie Wang <benjobs () apache org>
Date: Thu, 04 Dec 2025 02:14:56 +0000
Severity: moderate 

Affected versions:

- Apache StreamPark 2.0.0 before 2.1.7

Description:

In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key 
exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically 
generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, 
potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or 
unauthorized system access.


This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.

Users are recommended to upgrade to version 2.1.7, which fixes the issue.

Credit:

omkar parkhe <omkarparth () gmail com> (finder)

References:

https://streampark.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-53960
Previous By Date Next
Previous By Thread Next

Current thread: