Cyber Resilience

CVE-2025-8974

LowPublic PoC

Published: 14 August 2025

Published
14 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.9 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0089 75.9th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8974 is a low-severity Use of Hard-coded Password (CWE-259) vulnerability in Linlinjava Litemall. Its CVSS base score is 2.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 24.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Deeper analysis

CVE-2025-8974 is a vulnerability in linlinjava litemall versions up to 1.8.0, affecting an unknown functionality in the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java within the JSON Web Token Handler component. The issue involves hard-coded credentials, specifically through manipulation of the SECRET argument using the X-Litemall-Token input, as classified under CWE-259 and CWE-798. It carries a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating low severity with network accessibility but high attack complexity and limited integrity impact.

Remote attackers with no required privileges can exploit this vulnerability, though the high complexity makes exploitation difficult. Successful attacks enable limited integrity impacts, such as potential tampering via the hard-coded credentials in JWT handling, without affecting confidentiality or availability.

Advisories and discussions on mitigation are detailed in GitHub issues at https://github.com/linlinjava/litemall/issues/568 and https://github.com/linlinjava/litemall/issues/568#issue-3289860066, along with VulDB entries at https://vuldb.com/?ctiid.319970, https://vuldb.com/?id.319970, and https://vuldb.com/?submit.628233. The exploit has been publicly disclosed and may be usable.

EU & UK References

Vulnerability details

A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the argument SECRET with the input X-Litemall-Token leads…

more

to hard-coded credentials. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1134.001 Token Impersonation/Theft Stealth
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Hard-coded JWT secret in public source code enables remote attackers to forge valid authentication tokens for unauthorized access, impersonation, privilege escalation, exploitation of the public-facing web application, and leveraging unsecured credentials from files.

CVEs Like This One

CVE-2025-8730Shared CWE-259, CWE-798
CVE-2026-7579Shared CWE-259, CWE-798
CVE-2026-6574Shared CWE-259, CWE-798
CVE-2025-11126Shared CWE-259, CWE-798
CVE-2026-8032Shared CWE-259, CWE-798
CVE-2026-4475Shared CWE-259, CWE-798
CVE-2026-2616Shared CWE-259, CWE-798
CVE-2026-9139Shared CWE-798
CVE-2025-2343Shared CWE-259, CWE-798
CVE-2026-1610Shared CWE-259, CWE-798

Affected Assets

linlinjava
litemall
≤ 1.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prohibits embedding hard-coded credentials such as the JWT SECRET in JwtHelper.java and requires proper authenticator generation, distribution, and rotation.

prevent

Mandates secure cryptographic key establishment and management, preventing the static SECRET value from being compiled into the JWT handler.

prevent

Requires application of engineering principles that explicitly forbid hard-coded secrets and favor externalized, configurable credential handling.

References