Skip to main content

CVE-2025-48491: CWE-798: Use of Hard-coded Credentials in aryan6673 project-ai

Low
VulnerabilityCVE-2025-48491cvecve-2025-48491cwe-798
Published: Fri May 30 2025 (05/30/2025, 03:38:53 UTC)
Source: CVE Database V5
Vendor/Project: aryan6673
Product: project-ai

Description

Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version.

AI-Powered Analysis

AILast updated: 07/07/2025, 21:40:18 UTC

Technical Analysis

CVE-2025-48491 is a vulnerability classified under CWE-798, which involves the use of hard-coded credentials within the source code of the aryan6673 project-ai platform. Project AI is a platform designed to create AI agents, and prior to its pre-beta release, a hardcoded API key was embedded in the source code. This means that anyone with access to the source code of the affected versions (all versions before the pre-beta release) could potentially extract this API key and misuse it. The presence of hardcoded credentials is a significant security risk because it can allow unauthorized access to services or resources that the API key protects. However, this vulnerability has been patched in the pre-beta version, indicating that the issue is resolved in all subsequent releases. The CVSS 4.0 base score for this vulnerability is 2.7, which is considered low severity. The vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), and low impact on confidentiality, integrity, and availability (VC:L/VI:L/VA:L). There are no known exploits in the wild, and no patch links were provided, but the fix is implied by the pre-beta release update. This vulnerability primarily impacts the confidentiality of the API key and potentially the integrity and availability of services accessed via that key, but the overall risk is limited by the low impact and the fact that it has been patched.

Potential Impact

For European organizations, the impact of this vulnerability depends largely on whether they use the affected versions of project-ai. If an organization uses a pre-beta version containing the hardcoded API key, an attacker could extract the key and potentially access or manipulate AI agent services, leading to unauthorized data access or service disruption. Given the low CVSS score and the limited scope of the vulnerability, the direct impact on European organizations is expected to be low, especially if they are using updated versions. However, organizations involved in AI development or those relying on project-ai for critical AI agent deployment could face confidentiality breaches or service integrity issues if the vulnerability is exploited. The risk is mitigated by the absence of known exploits in the wild and the availability of a patched version. Nonetheless, organizations should be vigilant about using only updated software versions and monitoring for any suspicious activity related to API key misuse.

Mitigation Recommendations

European organizations should ensure that they do not use any pre-beta versions of project-ai that contain the hardcoded API key. Immediate steps include upgrading to the pre-beta or later versions where the vulnerability is patched. Additionally, organizations should audit their codebases and deployments to verify that no hardcoded credentials exist. If the hardcoded API key was ever used in production or exposed, it should be considered compromised and revoked or rotated immediately. Implementing secure credential management practices, such as using environment variables or secure vaults for API keys, is critical to prevent similar issues. Organizations should also monitor logs and network traffic for unusual access patterns that could indicate misuse of compromised credentials. Finally, educating developers about the risks of hardcoded credentials and enforcing secure coding standards will help prevent recurrence.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-22T12:11:39.120Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68392cfa182aa0cae29ce4a6

Added to database: 5/30/2025, 3:58:50 AM

Last enriched: 7/7/2025, 9:40:18 PM

Last updated: 8/9/2025, 11:30:57 AM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats