CVE-2025-51606

Published: Aug 21, 2025

Modified: Aug 22, 2025

PUBLISHED

Description

hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250610-01.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-51606

Description

Affected Products

References