6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-15107

CVE-2025-15107: actiontech sqle JWT Secret jwt.go hard-coded key

A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-15107

CVE-2025-15107:

6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/actiontech/sqle	go	<= 4.2511.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the use of a hard-coded secret for JWT token validation in the actiontech/sqle repository. The file sqle/utils/jwt.go defines a global variable JWTSecretKey with a default value of "secret". This key is used by the functions ParseAuditPlanName and GetUserNameFromJWTToken to verify the integrity of incoming JWTs. Because this secret is publicly known, an attacker can easily forge JWT tokens and sign them with the same secret. These forged tokens will be considered valid by the application, allowing the attacker to impersonate other users and gain unauthorized access to protected resources. The analysis of the issue and the provided source code confirms that any function relying on JWTSecretKey for token validation is vulnerable.

Vulnerable functions

utils.ParseAuditPlanName

sqle/utils/jwt.go

The function `ParseAuditPlanName` uses a hard-coded JWT secret key (`JWTSecretKey`) to verify the signature of the JWT token. An attacker can forge a token using the same hard-coded secret and bypass authentication.

utils.GetUserNameFromJWTToken

sqle/utils/jwt.go

The function `GetUserNameFromJWTToken` uses a hard-coded JWT secret key (`JWTSecretKey`) to parse and validate the JWT token. This allows an attacker to craft a malicious token with arbitrary claims, including a forged username, and the server will accept it as valid.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-15107: actiontech sqle JWT Secret jwt.go hard-coded key

CVE-2025-15107:

6.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

CVE-2025-15107: actiontech sqle JWT Secret jwt.go hard-coded key

6.3

6.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI