CVE-2025-14261

EPSS 0.27%
Veröffentlicht 08.12.2025 18:12:46
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle reefs@jfrog.com
CVE-Watchlists
Login
Unerledigt
Login

Lack of entropy allows registered low-privileged users of Litmus to crack valid JWT tokens and gain admin privileges

The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLitmuschaos

≫

Produkt litmus

Default Statusunaffected

Version 0

Version < 3.23.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.182

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
reefs@jfrog.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CWE-331 Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

https://research.jfrog.com/vulnerabilities/litmus-jwt-missing-entropy-elevation-jfsa-2025-001648159/

https://github.com/litmuschaos/litmus/pull/5324

https://nvd.nist.gov/vuln/detail/CVE-2025-14261

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-14261

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-14261

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-14261