CVE-2025-70045
Published: 23 February 2026
Summary
CVE-2025-70045 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Jxcore Jxm. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2025-70045 is an improper certificate validation vulnerability (CWE-295) discovered in the master branch of jxcore/jxm, a component associated with the jxcore project. The issue arises when the application disables TLS/SSL certificate validation by explicitly setting the 'rejectUnauthorized' option to false in HTTPS request options, even when 'jx_obj.IsSecure' is true. This flaw was published on 2026-02-23 and carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.
Remote attackers can exploit this vulnerability over the network without privileges or user interaction, though it requires high attack complexity. Exploitation enables man-in-the-middle scenarios where attackers can intercept or modify HTTPS traffic, leading to unauthorized disclosure or alteration of sensitive data, as certificate validation is bypassed under the specified condition.
Mitigation guidance and additional details are available in the referenced advisories, including https://gist.github.com/zcxlighthouse/bd5852a409c97438016f2c476f8461d9, https://github.com/jxcore, and https://github.com/jxcore/jxm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207616
Vulnerability details
An issue pertaining to CWE-295: Improper Certificate Validation was discovered in jxcore jxm master. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTPS request options when 'jx_obj.IsSecure' is true
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper certificate validation (rejectUnauthorized=false) directly enables adversary-in-the-middle attacks on HTTPS traffic.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographic protection of transmitted data that depends on proper TLS certificate validation to prevent MITM attacks.
Mandates correct issuance, distribution, and validation of PKI certificates, directly blocking the rejectUnauthorized bypass.
Ensures session authenticity through validated cryptographic mechanisms, mitigating the disabled certificate checks.