CVE-2025-2322
Published: 15 March 2025
Summary
CVE-2025-2322 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in 274056675 Springboot-Openai-Chatgpt. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely identification, reporting, and remediation of software flaws like hard-coded credentials, directly preventing exploitation of CVE-2025-2322.
IA-5 requires proper management and protection of authenticators, prohibiting hard-coded credentials in application code such as OpenController.java.
RA-5 requires vulnerability scanning that can identify hard-coded credentials vulnerabilities like CVE-2025-2322 in deployed Spring Boot applications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded administrator credentials in the web application controller enable authentication with valid default or local accounts (T1078, T1078.001, T1078.003) and provide unsecured credentials stored in files (T1552.001).
NVD Description
A vulnerability was found in 274056675 springboot-openai-chatgpt e84f6f5. It has been classified as critical. This affects an unknown part of the file /chatgpt-boot/src/main/java/org/springblade/modules/mjkj/controller/OpenController.java. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has…
more
been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-2322 is a critical vulnerability involving hard-coded credentials in the springboot-openai-chatgpt application at commit e84f6f5 from repository owner 274056675. It affects an unknown part of the file /chatgpt-boot/src/main/java/org/springblade/modules/mjkj/controller/OpenController.java. Classified under CWE-259 and CWE-798, the issue has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The product lacks versioning, so details on affected and unaffected releases are unavailable.
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can manipulate the affected component to access hard-coded credentials, potentially leading to low-level impacts on confidentiality, integrity, and availability.
Advisories from VulDB (ctiid.299751, id.299751, submit.505694) and a related cnblogs post document the issue, noting that the exploit has been publicly disclosed and may be actively used. The vendor was contacted early but provided no response, and no patches or mitigations are specified.
In notable context, this flaw relates to a Spring Boot integration with OpenAI's ChatGPT, carrying AI/ML relevance due to its handling of chat functionalities, with the public exploit availability increasing real-world risk.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects 'springboot-openai-chatgpt', a Spring Boot application integrating OpenAI ChatGPT functionality with a controller (OpenController.java) for chat features, fitting enterprise AI assistants that deploy AI chat interfaces.