CVE-2025-53960

Name: CVE-2025-53960
Creator: NVD / NIST
Published: 2025-12-12T16:15:44.463+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.9/10EPSS 0.22%

Last modified Jun 17, 2026

CVE-2025-53960 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.. EPSS estimates a 0.22% chance of exploitation in the next 30 days.

Description

When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.22%

12.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-1240

Affected Software

Vendor	Product	Versions
Apache	Streampark	>= 2.0.0, < 2.1.7

References

https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vyMailing List, Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/04/1Mailing List, Third Party Advisory

Timeline

Published: Dec 12, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-53960?

How severe is CVE-2025-53960?

CVE-2025-53960 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 0.22% probability of exploitation in the next 30 days.

How do I fix CVE-2025-53960?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-53960?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST