CVE-2025-15108: Use of Hard-coded Cryptographic Key in PandaXGO PandaX
A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit is now public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2025-15108: Use of Hard-coded Cryptographic Key in PandaXGO PandaX
Description
A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit is now public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-12-26T23:10:15.495Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69500e0b33c6eb8342f40260
Added to database: 12/27/2025, 4:49:15 PM
Last updated: 12/27/2025, 8:20:10 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14177: CWE-125 Out-of-bounds Read in PHP Group PHP
MediumCVE-2025-14180: CWE-476 NULL Pointer Dereference in PHP Group PHP
HighCVE-2025-14178: CWE-787 Out-of-bounds Write in PHP Group PHP
MediumCVE-2025-15109: Unrestricted Upload in jackq XCMS
MediumCVE-2025-54322: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in Xspeeder SXZOS
CriticalActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.