CVE-2025-63691 is a critical security vulnerability found in pig-mesh versions 3.8.2 and earlier, specifically within the Token Management function of the System Management module. The vulnerability arises from improper permission verification on the token query interface endpoint (/api/admin/sys-token/page). This endpoint is accessible to any user who has completed login authentication, regardless of their privilege level. When accessed, it returns plaintext authentication tokens for all users currently logged into the system, including those of administrators. Authentication tokens are sensitive credentials that, if compromised, allow an attacker to impersonate the token owner without needing their password. By obtaining an administrator’s token, an attacker can forge an administrator session, thereby gaining full management permissions and effectively taking over the system. The vulnerability is categorized under CWE-285 (Improper Authorization). The CVSS v3.1 base score is 9.6 (critical), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requires privileges (PR:L), no user interaction (UI:N), scope changed (S:C), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). Although no public exploits are currently known, the severity and ease of exploitation make this a significant threat. The lack of a patch link suggests that a fix may not yet be publicly available, increasing urgency for mitigation.

For European organizations using pig-mesh 3.8.2 or earlier, this vulnerability poses a severe risk of unauthorized system takeover. Attackers with any authenticated user account can escalate privileges to administrator level by stealing authentication tokens, leading to full control over system management functions. This can result in data breaches, unauthorized configuration changes, disruption of services, and potential lateral movement within networks. Confidentiality and integrity of sensitive data are at high risk, especially in sectors relying on pig-mesh for critical infrastructure or internal system management. The vulnerability’s network accessibility and lack of user interaction requirement increase the likelihood of exploitation. Given the critical nature of this flaw, organizations could face regulatory penalties under GDPR if personal data is compromised. The absence of known exploits does not diminish the threat, as attackers may develop exploits rapidly once details are publicized.

European organizations should immediately audit their pig-mesh deployments to identify affected versions (3.8.2 and below). Until an official patch is released, implement strict network segmentation and access controls to limit access to the token query API endpoint only to trusted administrators. Employ Web Application Firewalls (WAFs) to detect and block unauthorized API requests targeting /api/admin/sys-token/page. Enforce multi-factor authentication (MFA) for all administrative accounts to reduce risk from token theft. Monitor logs for unusual token query activity or multiple token retrieval attempts by non-administrative users. Consider temporarily disabling or restricting the Token Management function if feasible. Engage with pig-mesh vendors or community for updates and patches. Conduct regular security assessments and penetration testing focused on token management and authorization controls. Finally, educate users about the risks of token exposure and the importance of secure session management.