A vulnerability was identified in coze-studio up to 0.2.4. The impacted element is an unknown function of the file backend/domain/plugin/encrypt/aes.go. The manipulation of the argument AuthSecretKey/StateSecretKey/OAuthTokenSecretKey leads to use of hard-coded cryptographic key . It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. To fix this issue, it is recommended to deploy a patch. The vendor replied to the GitHub issue (translated from simplified Chinese): "For scenarios requiring encryption, we will implement user-defined key management through configuration and optimize the use of encryption tools, such as random salt."
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/9xxx/CVE-2025-9604.json",
"cwe_ids": [
"CWE-320",
"CWE-321"
],
"cna_assigner": "VulDB"
}{
"extracted_events": [
{
"introduced": "0.2.0"
},
{
"last_affected": "0.2.0"
},
{
"introduced": "0.2.1"
},
{
"last_affected": "0.2.1"
},
{
"introduced": "0.2.2"
},
{
"last_affected": "0.2.2"
},
{
"introduced": "0.2.3"
},
{
"last_affected": "0.2.3"
},
{
"introduced": "0.2.4"
},
{
"last_affected": "0.2.4"
}
],
"source": "AFFECTED_FIELD"
}