CVE-2025-7079

Name of the Vulnerable Software and Affected Versions: mao888 bluebell-plus versions up to 2.3.0

Description: A problematic vulnerability has been found in the JWT Token Handler component, affecting the processing of the file bluebell backend/pkg/jwt/jwt.go. The issue involves the manipulation of the mySecret argument with the input bluebell-plus, leading to the use of a hard-coded password. The attack can be initiated remotely, with a rather high complexity and difficult exploitation. The exploit has been disclosed to the public and may be used.

Recommendations: For mao888 bluebell-plus versions up to 2.3.0, consider updating to a version that fixes the hard-coded password issue in the JWT Token Handler component. As a temporary workaround, restrict access to the mySecret argument in the JWT Token Handler to minimize the risk of exploitation. Avoid using the mySecret argument with the input bluebell-plus in the affected component until the issue is resolved.