CVE-2025-8974
Published: 14 August 2025
Summary
CVE-2025-8974 is a low-severity Use of Hard-coded Password (CWE-259) vulnerability in Linlinjava Litemall. Its CVSS base score is 3.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 47.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Changing default authenticators prior to first use directly prevents use of hard-coded passwords.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Vetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism.
Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded JWT secret in public source code enables remote attackers to forge valid authentication tokens for unauthorized access, impersonation, privilege escalation, exploitation of the public-facing web application, and leveraging unsecured credentials from files.
NVD Description
A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the argument SECRET with the input X-Litemall-Token leads…
more
to hard-coded credentials. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-8974 is a vulnerability in linlinjava litemall versions up to 1.8.0, affecting an unknown functionality in the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java within the JSON Web Token Handler component. The issue involves hard-coded credentials, specifically through manipulation of the SECRET argument using the X-Litemall-Token input, as classified under CWE-259 and CWE-798. It carries a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating low severity with network accessibility but high attack complexity and limited integrity impact.
Remote attackers with no required privileges can exploit this vulnerability, though the high complexity makes exploitation difficult. Successful attacks enable limited integrity impacts, such as potential tampering via the hard-coded credentials in JWT handling, without affecting confidentiality or availability.
Advisories and discussions on mitigation are detailed in GitHub issues at https://github.com/linlinjava/litemall/issues/568 and https://github.com/linlinjava/litemall/issues/568#issue-3289860066, along with VulDB entries at https://vuldb.com/?ctiid.319970, https://vuldb.com/?id.319970, and https://vuldb.com/?submit.628233. The exploit has been publicly disclosed and may be usable.
Details
- CWE(s)