CVE-2025-51606HIGH 8.8EPSS p24.1%

CVE-2025-51606CVE-2025-51606

Description

hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.33% probability of exploitation · percentile 24.1% · 2026-06-18T12:00:27Z
Published2025-08-21
Last modified2026-04-15

Underlying weaknesses· 1

CWE-798

References

  1. https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250610-01.md

1

TypeTargetConfidenceTier
WeaknessUse of Hard-coded Credentialscwe-7980%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-29000
CVE
CVE-2025-5164
CVE
CVE-2025-35940
CVE
CVE-2025-41702
CVE
CVE-2026-48526
CVE
CVE-2025-69971
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.