Home

Description

When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.

PUBLISHED Reserved 2025-07-15 | Published 2025-12-12 | Updated 2025-12-16 | Assigner apache

Problem types

CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation

Product status

Default status
unaffected

2.0.0 (semver) before 2.1.7
affected

Credits

omkar parkhe <omkarparth@gmail.com> finder

References

www.openwall.com/lists/oss-security/2025/12/04/1

lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy vendor-advisory

cve.org (CVE-2025-53960)

nvd.nist.gov (CVE-2025-53960)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.