Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/cn.hippo4j/hippo4j-core@1.2.0-alpha

Type maven

Namespace cn.hippo4j

Name hippo4j-core

Version 1.2.0-alpha

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url

VCID-h2gj-bvpw-zkdv

vulnerability_id

VCID-h2gj-bvpw-zkdv

summary

hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-51606

reference_id

reference_type

scores

value	0.00086
scoring_system	epss
scoring_elements	0.25005
published_at	2026-06-12T12:55:00Z

value	0.00086
scoring_system	epss
scoring_elements	0.24806
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-51606

reference_url

https://github.com/opengoofy/hippo4j

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/opengoofy/hippo4j

reference_url

https://github.com/opengoofy/hippo4j/blob/7d78be3cab526501ad876495862f4cec108da2af/threadpool/server/auth/src/main/java/cn/hippo4j/auth/security/JwtTokenManager.java#L51

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/opengoofy/hippo4j/blob/7d78be3cab526501ad876495862f4cec108da2af/threadpool/server/auth/src/main/java/cn/hippo4j/auth/security/JwtTokenManager.java#L51

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-51606

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-51606

reference_url	https://github.com/advisories/GHSA-48cg-9c55-j2q7
reference_id	GHSA-48cg-9c55-j2q7
reference_type
scores
url	https://github.com/advisories/GHSA-48cg-9c55-j2q7

reference_url

https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250610-01.md

reference_id

POC-20250610-01.md

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-22T13:55:34Z/

url

https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250610-01.md

fixed_packages

aliases

CVE-2025-51606, GHSA-48cg-9c55-j2q7

risk_score

4.0

exploitability

0.5

weighted_severity

8.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-h2gj-bvpw-zkdv

url VCID-zevx-6tgj-xycq

vulnerability_id VCID-zevx-6tgj-xycq

summary Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker toescalate privileges via the AddUser method of the UserController function in Tenant Management module.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-27095

reference_id

reference_type

scores

value	0.00153
scoring_system	epss
scoring_elements	0.36023
published_at	2026-06-12T12:55:00Z

value	0.00153
scoring_system	epss
scoring_elements	0.35842
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-27095

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-27095

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-27095

reference_url

https://github.com/opengoofy/hippo4j/issues/1061

reference_id

1061

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-26T19:02:52Z/

url

https://github.com/opengoofy/hippo4j/issues/1061

reference_url

https://github.com/advisories/GHSA-xg89-vvwp-9c27

reference_id

GHSA-xg89-vvwp-9c27

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xg89-vvwp-9c27

fixed_packages

url pkg:maven/cn.hippo4j/hippo4j-core@1.4.3-upgrade

purl pkg:maven/cn.hippo4j/hippo4j-core@1.4.3-upgrade

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-h2gj-bvpw-zkdv

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/cn.hippo4j/hippo4j-core@1.4.3-upgrade

aliases CVE-2023-27095, GHSA-xg89-vvwp-9c27

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zevx-6tgj-xycq

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/cn.hippo4j/hippo4j-core@1.2.0-alpha

Package Instance