CVE-2025-51606

Name of the Vulnerable Software and Affected Versions: hippo4j versions 1.0.0 through 1.5.0

Description: hippo4j uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as admin. The issue poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.

Recommendations: versions prior to 1.6.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.