CVE-2025-8974

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: linlinjava litemall versions up to 1.8.0

Description: A vulnerability exists in linlinjava litemall up to version 1.8.0, specifically within the JSON Web Token Handler component, located in the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java. The manipulation of the SECRET argument through the X-Litemall-Token input leads to the exposure of hard-coded credentials. This issue can be exploited remotely, although the attack complexity is considered high and exploitation is difficult. The exploit has been publicly disclosed.

Recommendations: Versions prior to 1.8.0 are recommended.

Exploit

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-259CWE-798

Related Identifiers

CVE-2025-8974

Affected Products

Litemall

CVE-2025-8974

Weakness Enumeration

Related Identifiers

Affected Products

References · 9