CVE-2025-43866

vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is fixed in 4.11.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/vantage6/vantage6/security/advisories/GHSA-m3mq-f375-5vgh

Configurations

No configuration.

History

16 Jun 2025, 12:32

Type	Values Removed	Values Added
Summary		(es) Vantage6 es una infraestructura de código abierto para el análisis que preserva la privacidad. La clave secreta JWT en el servidor Vantage6 se genera automáticamente, a menos que el usuario la defina. Esta clave es un UUID1, que no es criptográficamente seguro, ya que es predecible hasta cierto punto. Esta vulnerabilidad se corrigió en la versión 4.11.0.

12 Jun 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-12 18:15

Updated : 2025-06-16 12:32

NVD link : CVE-2025-43866

Mitre link : CVE-2025-43866

CVE.ORG link : CVE-2025-43866

JSON object : View

Products Affected

No product.

CWE

CWE-330

Use of Insufficiently Random Values

{"id": "CVE-2025-43866", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-12T18:15:20.713", "references": [{"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-m3mq-f375-5vgh", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-330"}]}], "descriptions": [{"lang": "en", "value": "vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is fixed in 4.11.0."}, {"lang": "es", "value": "Vantage6 es una infraestructura de c\u00f3digo abierto para el an\u00e1lisis que preserva la privacidad. La clave secreta JWT en el servidor Vantage6 se genera autom\u00e1ticamente, a menos que el usuario la defina. Esta clave es un UUID1, que no es criptogr\u00e1ficamente seguro, ya que es predecible hasta cierto punto. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 4.11.0."}], "lastModified": "2025-06-16T12:32:18.840", "sourceIdentifier": "security-advisories@github.com"}