CVE-2025-15105

Summary

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
getmaxunmaxun0.0.1affected
getmaxunmaxun0.0.2affected
getmaxunmaxun0.0.3affected
getmaxunmaxun0.0.4affected
getmaxunmaxun0.0.5affected
getmaxunmaxun0.0.6affected
getmaxunmaxun0.0.7affected
getmaxunmaxun0.0.8affected
getmaxunmaxun0.0.9affected
getmaxunmaxun0.0.10affected
getmaxunmaxun0.0.11affected
getmaxunmaxun0.0.12affected
getmaxunmaxun0.0.13affected
getmaxunmaxun0.0.14affected
getmaxunmaxun0.0.15affected
getmaxunmaxun0.0.16affected
getmaxunmaxun0.0.17affected
getmaxunmaxun0.0.18affected
getmaxunmaxun0.0.19affected
getmaxunmaxun0.0.20affected
getmaxunmaxun0.0.21affected
getmaxunmaxun0.0.22affected
getmaxunmaxun0.0.23affected
getmaxunmaxun0.0.24affected
getmaxunmaxun0.0.25affected
getmaxunmaxun0.0.26affected
getmaxunmaxun0.0.27affected
getmaxunmaxun0.0.28affected

Weaknesses

  • CWE-321: Use of Hard-coded Cryptographic Key
  • CWE-320: Key Management Error

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References