CVE-2025-9604 is a medium-severity vulnerability affecting coze-studio versions up to 0.2.4. The vulnerability arises from the use of hard-coded cryptographic keys within the file backend/domain/plugin/encrypt/aes.go, specifically involving the arguments AuthSecretKey, StateSecretKey, and OAuthTokenSecretKey. Hard-coded keys are a critical security flaw because they can be extracted by attackers, leading to compromise of encrypted data or authentication tokens. In this case, the vulnerability allows remote attackers to exploit the weakness without requiring authentication or user interaction, although the attack complexity is high and exploitability is difficult. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and limited confidentiality impact (VC:L), with no impact on integrity or availability. The vendor has acknowledged the issue and plans to implement user-defined key management and improve encryption practices by adding random salts, which would mitigate the risk by eliminating static keys. No known exploits are currently in the wild, and no patches have been linked yet, but deployment of a patch is recommended once available. This vulnerability highlights the risks of improper cryptographic key management in software development, particularly in encryption modules that protect sensitive data or authentication tokens.

For European organizations using coze-studio versions 0.2.0 through 0.2.4, this vulnerability poses a risk of unauthorized decryption or token compromise if attackers can extract the hard-coded keys. While the confidentiality impact is limited, exposure of authentication tokens or encryption keys could lead to unauthorized access or data leakage. Given the medium severity and high complexity of exploitation, the immediate risk is moderate but should not be ignored, especially in environments handling sensitive or regulated data. Organizations in sectors such as finance, healthcare, and government, which often use encryption for data protection and authentication, could face compliance issues under GDPR if cryptographic keys are compromised. The remote attack vector means that attackers do not need physical or internal network access, increasing the threat surface. However, the lack of known exploits and difficult exploitability somewhat reduces the immediate threat level. Still, the presence of hard-coded keys is a fundamental security flaw that undermines trust in the software's encryption mechanisms.

European organizations should take the following specific steps: 1) Immediately identify any deployments of coze-studio versions 0.2.0 to 0.2.4 within their environments. 2) Monitor vendor communications for the release of patches addressing this vulnerability and prioritize timely patching once available. 3) Until patches are applied, restrict network exposure of coze-studio services to trusted networks only, using firewalls and network segmentation to reduce attack surface. 4) Review and audit cryptographic key management practices in coze-studio configurations, and where possible, override default keys with user-defined keys or environment-specific secrets. 5) Implement additional monitoring and alerting for unusual authentication or encryption-related activities that could indicate exploitation attempts. 6) Conduct security assessments and penetration testing focused on cryptographic modules to detect potential key leakage or misuse. 7) Educate developers and administrators on secure key management principles to prevent recurrence of hard-coded keys in future software versions or customizations.