CVE-2025-8974
Published: 14 August 2025
Summary
CVE-2025-8974 is a low-severity Use of Hard-coded Password (CWE-259) vulnerability in Linlinjava Litemall. Its CVSS base score is 2.9 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 24.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).
Deeper analysis
CVE-2025-8974 is a vulnerability in linlinjava litemall versions up to 1.8.0, affecting an unknown functionality in the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java within the JSON Web Token Handler component. The issue involves hard-coded credentials, specifically through manipulation of the SECRET argument using the X-Litemall-Token input, as classified under CWE-259 and CWE-798. It carries a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating low severity with network accessibility but high attack complexity and limited integrity impact.
Remote attackers with no required privileges can exploit this vulnerability, though the high complexity makes exploitation difficult. Successful attacks enable limited integrity impacts, such as potential tampering via the hard-coded credentials in JWT handling, without affecting confidentiality or availability.
Advisories and discussions on mitigation are detailed in GitHub issues at https://github.com/linlinjava/litemall/issues/568 and https://github.com/linlinjava/litemall/issues/568#issue-3289860066, along with VulDB entries at https://vuldb.com/?ctiid.319970, https://vuldb.com/?id.319970, and https://vuldb.com/?submit.628233. The exploit has been publicly disclosed and may be usable.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24930
Vulnerability details
A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the argument SECRET with the input X-Litemall-Token leads…
more
to hard-coded credentials. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded JWT secret in public source code enables remote attackers to forge valid authentication tokens for unauthorized access, impersonation, privilege escalation, exploitation of the public-facing web application, and leveraging unsecured credentials from files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prohibits embedding hard-coded credentials such as the JWT SECRET in JwtHelper.java and requires proper authenticator generation, distribution, and rotation.
Mandates secure cryptographic key establishment and management, preventing the static SECRET value from being compiled into the JWT handler.
Requires application of engineering principles that explicitly forbid hard-coded secrets and favor externalized, configurable credential handling.