CVE-2025-10080 is a vulnerability identified in the running-elephant Datart software versions 1.0.0-rc1 through 1.0.0-rc3. The issue resides in the getTokensecret function within the AESUtil.java file of the datart/security component. Specifically, the vulnerability stems from the use of a hard-coded cryptographic key for encryption operations. Hard-coded keys are a significant security risk because they can be extracted by attackers who gain access to the software binaries or source code, allowing them to decrypt sensitive data or forge authentication tokens. The vulnerability can be exploited remotely without user interaction; however, the attack complexity is high, and exploitation is considered difficult. The CVSS 4.0 vector indicates that the attack requires network access (AV:N), has high complexity (AC:H), does not require privileges (PR:L), no user interaction (UI:N), and results in low confidentiality impact (VC:L) with no impact on integrity or availability. Although the exploit has been publicly disclosed, there are no known exploits in the wild currently. The vulnerability affects the API component of Datart, which is a data visualization and business intelligence platform, potentially exposing sensitive token secrets used for authentication or encryption. The presence of a hard-coded key undermines the cryptographic security model, potentially allowing attackers to bypass authentication or decrypt confidential data if they can extract the key. Given the high complexity and low impact ratings, exploitation is not trivial and would likely require significant effort or additional vulnerabilities to be chained for a successful attack.

For European organizations using running-elephant Datart versions 1.0.0-rc1 to 1.0.0-rc3, this vulnerability could lead to unauthorized access to sensitive data or services protected by the compromised cryptographic keys. Since Datart is used for data analytics and visualization, the exposure of token secrets could allow attackers to impersonate legitimate users or decrypt sensitive business intelligence data. This could result in confidentiality breaches, potentially exposing proprietary or personal data, which would have compliance implications under GDPR. However, the low CVSS score and high attack complexity suggest that the risk of widespread exploitation is limited. Organizations with high-value data or those operating in regulated sectors (finance, healthcare, government) may face greater risks if attackers succeed in exploiting this vulnerability. The lack of known active exploits reduces immediate threat levels but does not eliminate future risk, especially if attackers develop more effective exploitation techniques. Additionally, the vulnerability could be leveraged as part of a multi-stage attack chain, increasing its potential impact in targeted attacks against European enterprises.

European organizations should prioritize upgrading running-elephant Datart to versions beyond 1.0.0-rc3 where this vulnerability is patched. If an immediate upgrade is not feasible, organizations should implement compensating controls such as restricting network access to the Datart API to trusted internal networks and enforcing strict authentication and authorization policies. Code audits should be performed to identify and remove any hard-coded cryptographic keys, replacing them with secure key management solutions that use environment variables or dedicated secrets management systems. Additionally, monitoring and logging should be enhanced to detect anomalous access patterns or token usage indicative of exploitation attempts. Organizations should also conduct penetration testing focused on cryptographic key extraction and token forgery to assess their exposure. Finally, educating developers on secure coding practices around cryptographic key management will help prevent similar vulnerabilities in future releases.