CVE-2025-65730 is an authentication bypass vulnerability identified in the GoAway software up to version 0.62.18. The root cause is the presence of a hardcoded secret used to sign JSON Web Tokens (JWTs) that authenticate users. JWTs are widely used for stateless authentication, relying on cryptographic signatures to verify token integrity and authenticity. By embedding a hardcoded secret, the software allows attackers to generate valid JWTs without knowledge of legitimate credentials, effectively bypassing authentication controls. This vulnerability is classified under CWE-798 (Use of Hard-coded Credentials). The CVSS v3.1 base score is 8.8 (high), with attack vector being adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the ease of exploitation and potential for full system compromise. The issue was addressed in GoAway version 0.62.19, which replaces the hardcoded secret with a secure, dynamically generated key or configuration-based secret. Organizations using affected versions should prioritize patching and review their JWT authentication implementations to prevent similar issues.

For European organizations, this vulnerability could lead to unauthorized access to sensitive systems and data, compromising confidentiality and integrity. Attackers could impersonate legitimate users or administrators, manipulate data, disrupt services, or pivot within networks. Sectors such as finance, healthcare, government, and critical infrastructure that rely on GoAway for authentication are particularly at risk. The breach of authentication mechanisms can result in data leaks, regulatory non-compliance (e.g., GDPR violations), financial losses, and reputational damage. Given the vulnerability requires no privileges or user interaction and can be exploited remotely over adjacent networks, it increases the attack surface significantly. Organizations with remote or distributed environments may face higher exposure. The lack of known exploits currently provides a window for proactive mitigation before widespread exploitation occurs.

1. Immediately upgrade all GoAway instances to version 0.62.19 or later, which contains the fix removing the hardcoded secret. 2. Audit all JWT authentication implementations to ensure no hardcoded secrets or weak keys are used; secrets should be securely generated and stored using environment variables or secure vaults. 3. Implement strict monitoring and logging of authentication events to detect anomalous token usage or unauthorized access attempts. 4. Employ network segmentation and access controls to limit exposure of authentication services to trusted networks only. 5. Conduct regular security assessments and penetration testing focusing on authentication mechanisms. 6. Educate development and operations teams about secure secret management practices to prevent recurrence. 7. If immediate patching is not feasible, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block forged JWT tokens based on known patterns. 8. Review incident response plans to prepare for potential exploitation scenarios involving authentication bypass.