Cyber Resilience

CVE-2025-65730

HighPublic PoC

Published: 05 December 2025

Published
05 December 2025
Modified
11 December 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 60.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65730 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Pommee Goaway. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 39.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Deeper analysis

CVE-2025-65730 is an authentication bypass vulnerability stemming from the use of a hardcoded secret for signing JWT tokens in the GoAway application, affecting versions up to v0.62.18. This issue, classified under CWE-798 (Use of Hard-coded Credentials), was published on 2025-12-05 and carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability resides in the backend API components, as evidenced by code references in auth.go and middleware.go files within the pommee/goaway repository.

An attacker with adjacent network access (AV:A) can exploit this vulnerability with low complexity and no required privileges or user interaction. By knowing the hardcoded signing secret, the attacker can forge valid JWT tokens to bypass authentication, potentially gaining unauthorized access to the application. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, such as data exfiltration, modification, or denial of service.

Mitigation is available in GoAway version 0.62.19, which addresses the hardcoded secret issue. Security practitioners should immediately upgrade affected instances to this patched version. Relevant code changes and details are documented in the project's GitHub repository at https://github.com/pommee/goaway, with additional analysis in https://github.com/gian2dchris/CVEs/tree/CVE-2025-65730/CVE-2025-65730.

EU & UK References

Vulnerability details

Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Hardcoded JWT signing secret enables forging valid authentication tokens, facilitating Valid Accounts (T1078) and Forge Web Credentials (T1606).

CVEs Like This One

CVE-2025-49551Shared CWE-798
CVE-2025-1393Shared CWE-798
CVE-2026-5065Shared CWE-798
CVE-2019-25291Shared CWE-798
CVE-2024-52902Shared CWE-798
CVE-2025-8857Shared CWE-798
CVE-2025-37103Shared CWE-798
CVE-2025-2538Shared CWE-798
CVE-2025-40537Shared CWE-798
CVE-2025-56749Shared CWE-798

Affected Assets

pommee
goaway
≤ 0.62.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires proper management, protection, and lifecycle handling of authenticators, directly preventing the use of hardcoded secrets for JWT token signing.

prevent

SC-12 mandates secure establishment, distribution, and management of cryptographic keys, addressing the hardcoded JWT signing secret vulnerability.

prevent

SI-2 requires timely identification, reporting, and remediation of flaws, enabling patching of the hardcoded credential issue fixed in GoAway v0.62.19.

References