Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/cn.hippo4j/hippo4j-core@1.2.0-RC3
Typemaven
Namespacecn.hippo4j
Namehippo4j-core
Version1.2.0-RC3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-h2gj-bvpw-zkdv
vulnerability_id VCID-h2gj-bvpw-zkdv
summary hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-51606
reference_id
reference_type
scores
0
value 0.00086
scoring_system epss
scoring_elements 0.25005
published_at 2026-06-12T12:55:00Z
1
value 0.00086
scoring_system epss
scoring_elements 0.24806
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-51606
1
reference_url https://github.com/opengoofy/hippo4j
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/opengoofy/hippo4j
2
reference_url https://github.com/opengoofy/hippo4j/blob/7d78be3cab526501ad876495862f4cec108da2af/threadpool/server/auth/src/main/java/cn/hippo4j/auth/security/JwtTokenManager.java#L51
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/opengoofy/hippo4j/blob/7d78be3cab526501ad876495862f4cec108da2af/threadpool/server/auth/src/main/java/cn/hippo4j/auth/security/JwtTokenManager.java#L51
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-51606
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-51606
4
reference_url https://github.com/advisories/GHSA-48cg-9c55-j2q7
reference_id GHSA-48cg-9c55-j2q7
reference_type
scores
url https://github.com/advisories/GHSA-48cg-9c55-j2q7
5
reference_url https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250610-01.md
reference_id POC-20250610-01.md
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-22T13:55:34Z/
url https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250610-01.md
fixed_packages
aliases CVE-2025-51606, GHSA-48cg-9c55-j2q7
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h2gj-bvpw-zkdv
1
url VCID-zevx-6tgj-xycq
vulnerability_id VCID-zevx-6tgj-xycq
summary Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker toescalate privileges via the AddUser method of the UserController function in Tenant Management module.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-27095
reference_id
reference_type
scores
0
value 0.00153
scoring_system epss
scoring_elements 0.36023
published_at 2026-06-12T12:55:00Z
1
value 0.00153
scoring_system epss
scoring_elements 0.35842
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-27095
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27095
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-27095
2
reference_url https://github.com/opengoofy/hippo4j/issues/1061
reference_id 1061
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-26T19:02:52Z/
url https://github.com/opengoofy/hippo4j/issues/1061
3
reference_url https://github.com/advisories/GHSA-xg89-vvwp-9c27
reference_id GHSA-xg89-vvwp-9c27
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xg89-vvwp-9c27
fixed_packages
0
url pkg:maven/cn.hippo4j/hippo4j-core@1.4.3-upgrade
purl pkg:maven/cn.hippo4j/hippo4j-core@1.4.3-upgrade
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-h2gj-bvpw-zkdv
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/cn.hippo4j/hippo4j-core@1.4.3-upgrade
aliases CVE-2023-27095, GHSA-xg89-vvwp-9c27
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zevx-6tgj-xycq
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/cn.hippo4j/hippo4j-core@1.2.0-RC3