CVE-2025-9604

216.73.216.6

· Published 29/08/2025 02:15 · Modified 29/08/2025 16:24

Labels: CVE-2025-9604 2025-08-29 CVE-2025-9604 CWE-320 [email protected]

Essential information

Published: 29/08/2025 02:15
Modified: 29/08/2025 16:24
Author: —
Creator: —
CVSS: 6.3 MEDIUM (v3) 6.3 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

A vulnerability was identified in coze-studio up to 0.2.4. The impacted element is an unknown function of the file backend/domain/plugin/encrypt/aes.go. The manipulation of the argument AuthSecretKey/StateSecretKey/OAuthTokenSecretKey leads to use of hard-coded cryptographic key . It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. To fix this issue, it is recommended to deploy a patch. The vendor replied to the GitHub issue (translated from simplified Chinese): "For scenarios requiring encryption, we will implement user-defined key management through configuration and optimize the use of encryption tools, such as random salt."

NVD status

Status: Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
coze-studio / coze-studio	`cpe:2.3:a:coze-studio:coze-studio::::::::`