We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-30206

Dpanel's hard-coded JWT secret leads to remote code execution



Description

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. This issue is patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with a securely generated value and load it from secure configuration storage.

Reserved 2025-03-18 | Published 2025-04-15 | Updated 2025-04-15 | Assigner GitHub_M


CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-321: Use of Hard-coded Cryptographic Key

CWE-453: Insecure Default Variable Initialization

CWE-547: Use of Hard-coded, Security-relevant Constants

Product status

< 1.6.1
affected

References

github.com/...dpanel/security/advisories/GHSA-j752-cjcj-w847

cve.org (CVE-2025-30206)

nvd.nist.gov (CVE-2025-30206)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-30206

Support options

Helpdesk Chat, Email, Knowledgebase