CVE-2025-15107: SQLE's JWT Secret Handler can be manipulated to use hard-coded cryptographic key
(updated )
A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key.
The attack is possible to be carried out remotely. The attack’s complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release.
References
- github.com/actiontech/sqle
- github.com/actiontech/sqle/blob/4714f83f33e0d7aa647036eb756e928aa4174014/sqle/utils/jwt.go
- github.com/actiontech/sqle/issues/3186
- github.com/actiontech/sqle/milestone/53
- github.com/advisories/GHSA-43h9-hc38-qph5
- nvd.nist.gov/vuln/detail/CVE-2025-15107
- vuldb.com/?ctiid.338478
- vuldb.com/?id.338478
- vuldb.com/?submit.710380
Code Behaviors & Features
Detect and mitigate CVE-2025-15107 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →