CVE-2025-53960
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-53960
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53960.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-53960
- Aliases
- Published
- 2025-12-12T16:15:44.463Z
- Modified
- 2025-12-18T05:56:41.356682Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
- References
Affected packages
Git / github.com/apache/incubator-streampark
Affected versions
v2.*
v2.0.0
v2.0.0-rc7
v2.1.0
v2.1.0-rc1
v2.1.1
v2.1.1-rc1
v2.1.2
v2.1.2-rc1
v2.1.2-rc2
v2.1.2-rc3
v2.1.2-rc4
v2.1.3
v2.1.3-rc1
v2.1.4
v2.1.4-rc1
v2.1.4-rc2
v2.1.5
v2.1.5-rc1
v2.1.6
v2.1.6-rc1
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"line_hashes": [
"72604311762344434157524388872199318042",
"101381319070181150147389027635531889978",
"310038833392798796558727557418965800963",
"330809877638788693042066485153781276775",
"203141332781631807521392259031539967324",
"156969467876964860734397381149185180289",
"170424081347378569989867558352770252592",
"193304238247374794906548137123286245029",
"334070347404010268040814028520268554938",
"308036744727104892718300465798296262789",
"115788449429454320046695682695817083242",
"11038386778444955680838183526109494438",
"55796072579321138584834700419009516658",
"223011136654603458285269419246157768804",
"211852535739150176752076952702720731301",
"2926141564638056940297824882933275991",
"117512291430626760323251453787609133743",
"59261501348330234846016099127104830913",
"279762489443434799534612196811519070720",
"191166416608740688542203650057599443718",
"73686856330602463427075760385545347288",
"280496040623541366934864872594471181493",
"301201534022035162471473908573928857751",
"222351360164920053120334062797678892281"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2025-53960-027f6ca0",
"target": {
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"line_hashes": [
"324318930640623731654270475996681635614",
"327957899571543317760196933166623960790",
"278541427105710643967546019062822298833",
"159492406914583973391340236515031802300",
"119879068227782415349733880275853699325",
"280389257635695014818944048531088058571",
"51509417752468179858494755663406952823"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2025-53960-263d84a2",
"target": {
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/ProxyServiceImpl.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"length": 340.0,
"function_hash": "288746451071500207870814498968876872460"
},
"signature_type": "Function",
"id": "CVE-2025-53960-28baf800",
"target": {
"function": "proxyYarnRequest",
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/ProxyServiceImpl.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"length": 579.0,
"function_hash": "283793259800020934119710089861491106672"
},
"signature_type": "Function",
"id": "CVE-2025-53960-4fcb1a4f",
"target": {
"function": "encrypt",
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"line_hashes": [
"263980810505798628595619531997022976963",
"171248809125965656210516837396910807675",
"135822983919276411410628740725341426928",
"217693532684773251347948207552101295588",
"35050827336946862006479778052640455763",
"67554605394807531402678288100164025042",
"321783529544294377427554551733489285952",
"37466200252845548442083995463342902156",
"240651061503901532336589772636657081258",
"283772493889295042550003328560399865883",
"136401701958255859200017059376119385054",
"120651749992805064896080226261581666470",
"264866360453358443934220745148500119813",
"29718312756041812392104133432432266815",
"111875467600827513061861593374499388082",
"320490395155239384432793027785889434670",
"247555308210546503707584796476082236448",
"308198604119221655210222852279453053492",
"205962123338759966853924119454944085862",
"206602405823575400006473096869188376728",
"111396621369845697053255194882685091237",
"127839860919651646476479296411965610244",
"8322688583412860914346343657574853962",
"240785354158974056619603822389144141321",
"306393152336320463500613140331354772189",
"63217864553604664777192365766880836161",
"151490088942334776799838352828074709219",
"7548110078523344986862401005074929530",
"319295855900907980539068047133713580793",
"175740983271224021877584713998435853464",
"89758194188668124957241156968946935476",
"43151419938306758084306641929080030455"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2025-53960-5e6472ae",
"target": {
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/SavepointServiceImpl.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"length": 557.0,
"function_hash": "134617278887961976140670105721348224965"
},
"signature_type": "Function",
"id": "CVE-2025-53960-6f765ec5",
"target": {
"function": "decrypt",
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"line_hashes": [
"70919835412591037400450389432832245457",
"117458133932223238549315895049905595598",
"338628923973652709428423962122098934296",
"129502702543934272625547365009928995339"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2025-53960-91a86589",
"target": {
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/runner/StartedUpRunner.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"length": 941.0,
"function_hash": "197324602750162243615055170347668005538"
},
"signature_type": "Function",
"id": "CVE-2025-53960-b43ac79a",
"target": {
"function": "handleSavepointResponseFuture",
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/SavepointServiceImpl.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"length": 277.0,
"function_hash": "13828414885198394357680017769272299489"
},
"signature_type": "Function",
"id": "CVE-2025-53960-e0cac0a7",
"target": {
"function": "verify",
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"length": 211.0,
"function_hash": "262017398196332793000406350886395229732"
},
"signature_type": "Function",
"id": "CVE-2025-53960-e1ca5c42",
"target": {
"function": "decode",
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"length": 510.0,
"function_hash": "239547349364244315386659876794322283296"
},
"signature_type": "Function",
"id": "CVE-2025-53960-e44961d1",
"target": {
"function": "sign",
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java"
}
},
{
"signature_version": "v1",
"source": "https://github.com/apache/incubator-streampark/commit/8dd921788dec184c2666fa1c02e805ce6f623252",
"deprecated": false,
"digest": {
"length": 1521.0,
"function_hash": "53110379701467389736400667144670990555"
},
"signature_type": "Function",
"id": "CVE-2025-53960-effd7b3d",
"target": {
"function": "run",
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/runner/StartedUpRunner.java"
}
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53960.json"