N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54981

CVE-2025-54981: Apache StreamPark uses a Weak Encryption Algorithm

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data

This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.

Users are recommended to upgrade to version 2.1.7, which fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-54981

CVE-2025-54981:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.streampark:streampark	maven	>= 2.0.0, < 2.1.7	2.1.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is rooted in the org.apache.streampark.console.base.util.EncryptUtils class, which was responsible for encryption and decryption operations. The analysis of the patch 39034db0c806168afa82e58e4f376e1e3c3b73e4 reveals that this class was entirely removed. The core issue lies in the getCipher method within this class. It initialized an AES cipher by calling Cipher.getInstance("AES") without specifying a block cipher mode of operation. This causes the JCE provider to default to AES/ECB/PKCS5Padding, where ECB (Electronic Codebook) mode is known to be insecure because it encrypts identical blocks of plaintext into identical blocks of ciphertext, revealing patterns in the data. Additionally, it used SecureRandom.getInstance("SHA1PRNG"), a weak pseudo-random number generator, for generating the encryption key.

The vulnerable EncryptUtils.encrypt and EncryptUtils.decrypt functions were used in critical parts of the authentication flow. Specifically, JWTUtil.sign called EncryptUtils.encrypt to protect the JWT token, and JWTFilter.executeLogin called EncryptUtils.decrypt to process the incoming token. This means that the JWT tokens, which are used for user authentication, were protected by weak cryptography, potentially allowing an attacker to decrypt them or forge valid tokens.

The patch remediates this by removing the EncryptUtils class and replacing it with a new, more secure implementation within JWTUtil. The new implementation uses AES/GCM/NoPadding, which is an authenticated encryption mode that provides both confidentiality and integrity, and a strong, properly seeded random number generator for the initialization vector (IV).

Vulnerable functions

org.apache.streampark.console.base.util.EncryptUtils.encrypt

streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/util/EncryptUtils.java

This function encrypts data using AES in ECB mode, which is insecure and vulnerable to pattern analysis. It was used to encrypt sensitive data, including JWT tokens. The entire class `EncryptUtils` was removed in the patch.

org.apache.streampark.console.base.util.EncryptUtils.decrypt

streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/util/EncryptUtils.java

This function decrypts data that was encrypted with the weak `encrypt` function. It was used in the authentication filter (`JWTFilter`) to decrypt incoming JWT tokens.

org.apache.streampark.console.base.util.EncryptUtils.getCipher

streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/util/EncryptUtils.java

This private helper function is the root cause of the vulnerability. It initializes an AES cipher without specifying a mode of operation, which defaults to the insecure ECB mode in many Java environments. It also uses a weak pseudo-random number generator (`SHA1PRNG`) for key generation, seeded with a predictable value.

org.apache.streampark.console.system.authentication.JWTFilter.executeLogin

streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTFilter.java

This function is part of the authentication process and was responsible for calling the weak decryption method `EncryptUtils.decrypt` on the incoming authentication token. An attacker could potentially exploit the weak encryption to forge tokens.

org.apache.streampark.console.system.authentication.JWTUtil.sign

streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java

This function was responsible for signing and then encrypting the JWT token. It used the vulnerable `EncryptUtils.encrypt` method, leading to the creation of weakly encrypted tokens.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-54981: Apache StreamPark uses a Weak Encryption Algorithm

CVE-2025-54981:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

CVE-2025-54981: Apache StreamPark uses a Weak Encryption Algorithm

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI