CVE-2025-54947

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

I

n Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.

References

Link	Resource
https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1	Mailing List
http://www.openwall.com/lists/oss-security/2025/12/12/3	Mailing List

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*

History

15 Dec 2025, 17:20

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-12 15:15

Updated : 2025-12-15 17:20

NVD link : CVE-2025-54947

Mitre link : CVE-2025-54947

CVE.ORG link : CVE-2025-54947

JSON object : View

Products Affected

streampark

CWE

CWE-321

Use of Hard-coded Cryptographic Key

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2025-54947", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-12-12T15:15:53.577", "references": [{"url": "https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1", "tags": ["Mailing List"], "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/12/3", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-321"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."}], "lastModified": "2025-12-15T17:20:46.757", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18BD3C9F-61F6-4D68-B0E7-333A94F827ED", "versionEndExcluding": "2.1.7", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}