CVE-2025-63691

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-63691
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63691.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-63691
Published
2025-11-07T16:15:42.820Z
Modified
2026-03-13T03:40:54.206500Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

In pig-mesh In Pig version 3.8.2 and below, within the Token Management function under the System Management module, the token query interface (/api/admin/sys-token/page) has an improper permission verification issue, which leads to information leakage. This interface can be called by any user who has completed login authentication, and it returns the plaintext authentication Tokens of all users currently logged in to the system. As a result, ordinary users can obtain the administrator's authentication Token through this interface, thereby forging an administrator account, gaining the system's management permissions, and taking over the system.

References

Affected packages

Git / github.com/pig-mesh/pig

Affected ranges

Type
GIT
Repo
https://github.com/pig-mesh/pig
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
a24a044ede1fdfcca1e37bd9664a905b494d88b5
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.8.2"
        }
    ]
}

Affected versions

3.*
3.5.3
3.7.6
3.8.0
3.8.1
3.8.2
v3.*
v3.4.3
v3.5.2
v3.6.0
v3.6.1
v3.6.2
v3.6.3
v3.6.4
v3.7.1
v3.7.2
v3.7.5
v3.7.6
v3.8.0
v3.8.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63691.json"