CVE-2025-43866

Advisory

Affected versions of this package are vulnerable to JWT Token Forgery due to the use of cryptographically weak UUID1 for auto-generating JWT secret keys. The JWT secret key generation mechanism fails to use cryptographically secure randomness, leading to predictable secret keys that can be exploited by attackers to forge valid JWT tokens. UUID1 values are partially predictable as they incorporate timestamp and MAC address information, making them unsuitable for cryptographic purposes. This vulnerability allows attackers to potentially predict or brute-force the JWT secret key, enabling them to create arbitrary valid tokens and bypass authentication mechanisms. The fix involves replacing UUID1 with UUID4 for generating API keys and JWT secrets, as UUID4 uses cryptographically secure pseudo-random number generation, making the generated secrets unpredictable and suitable for security-critical applications.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/vantage6/vantage6/commit/e39a262faf1cd4c554bf1b8e57eeea082da995c0
• https://github.com/advisories/GHSA-m3mq-f375-5vgh
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-43866