oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability

From: Huajie Wang <benjobs () apache org>
Date: Fri, 12 Dec 2025 14:57:25 +0000
Severity: important 

Affected versions:

- Apache StreamPark 2.0.0 before 2.1.7

Description:

In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key 
exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically 
generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, 
potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or 
unauthorized system access.

This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.

Users are recommended to upgrade to version 2.1.7, which fixes the issue.

Credit:

omkarparth () gmail com (finder)

References:

https://streampark.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-54947
Previous By Date Next
Previous By Thread Next

Current thread: